I am designing a secure webserver for use in a small company. The
connection must be secure.
My plan is to use SSL/TLS and 'AuthConfig/htpasswd' to make the
connections. I have reviewed various explanations of how to create my
own Certificate Authority and how to create both server and client
certs/keys.
The confusion comes from knowing what to do with them after they are
created.
SuSE 9.1
Apache 2.0.49
OpenSSL 0.9.7d
TLS 1.5.0
Apache 2 places the certs in various directories in '/etc/apache2' such
as 'ssl.crt,' 'ssl.csr' and 'ssl.key'
Here is my plan ... Will it work?
Command
|
Questions / Usage
|
| openssl genrsa -des3 -out ca.key 1024 |
This creates the Certificate Authority key.
Place this in /etc/apache2/ssl.key
Should this have any sort of unique name?
|
| openssl req -new -x509 -days 365 -key ca.key
-out ca.crt |
This creates the CA certificate.
Place this in /etc/apache2/ssl.crt
Should this follow the same name as above?
|
openssl genrsa -des3 -out server.key 1024
|
This creates the server key.
Place this in /etc/apache2/ssl.key
Should this follow the FQDN? server.name.crt?
|
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
|
The first command backs up the key.
The second encodes it so it is not requested
after each reboot.
|
openssl req -new -days 365 -key server.key -out
server.csr
|
This creates the server certificate.
Place this in /etc/apache2/ssl.csr
Should this follow the same name as above?
|
./sign.sh server.csr
|
Use Ralf Engelschall's script to 'sign' the
certificate.
|
|
|
To create client certificates follow a
similar process ...
|
... if needed
|
openssl req -new -days 365 -key server.key -out
client.csr
openssl pkcs12 -export -in client.csr -inkey server.key \
-certfile server.crt -out client.p12
|
Convert these to 'p12' format ....
Use a unique client name ...
Import into the client's browser...
Is this even required?
I can see separate client certificates if I were using
IPSec to make VPN connections.
|
What about creating a CRL? And, what about trust for my CA? What
about converting my server.csr for use with Windows clients? Do I
insert them into the MMC or merely the browser?
Thanks for your help ....
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
|
