Hello Doc,
Pardon me if this doesn't really answer the question... Though,
here's what I do when I create my own private CA and private
certificate for my web server. The good thing about these
procedures is that you can repeat steps 3 to 7 to generate
certificates for your other web servers and have them signed *by
the same* CA.
Also, if you may want to function as some "real" private CA (sign
server and personal certificates) and do some certificate
management tasks, check out pyCA or OpenCA.
HTH,
Mike
# 0. install a mod_ssl patched apache using "make" and "make
# install" without running any of "make certificate ..." commands
# 1. generate ca private key (ca.key)
/usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
# 2. generate ca certificate (ca.crt) signed with ca's own private
# key (ca.key)
/usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# 3. generate web server's private key (server1.key)
/usr/local/ssl/bin/openssl genrsa -des3 -out server1.key 1024
# 4. generate web server's certificate signing request (server1.csr)
/usr/local/ssl/bin/openssl req -new -key server1.key -out server1.csr
# 5. ca signs web server's certificate signing request
# and generates web server's certificate (server1.crt)
/usr/src/mod_ssl-2.6.2-1.3.12/pkg.contrib/sign.sh server1.csr
# 6. copy web server's private key (server1.key) and certificate
# (server1.crt) where apache will find them
cp server1.key /usr/local/apache/conf/ssl.key/server.key
cp server1.crt /usr/local/apache/conf/ssl.crt/server.crt
# 7. set the following in apache's httpd.conf
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
#################################################################
Sample Session
#################################################################
# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PH
State or Province Name (full name) [Some-State]:Metro Manila
Locality Name (eg, city) []:Quezon City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Company
Organizational Unit Name (eg, section) []:ABC Company Certificate Authority
Common Name (eg, YOUR name) []:ABC Company CA
Email Address []:[EMAIL PROTECTED]
# openssl genrsa -des3 -out server1.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..................................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
# openssl req -new -key server1.key -out server1.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PH
State or Province Name (full name) [Some-State]:Metro Manila
Locality Name (eg, city) []:Quezon City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Company
Organizational Unit Name (eg, section) []:XYZ Web Department
Common Name (eg, YOUR name) []:www.xyz.foo
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# /usr/src/mod_ssl-2.6.2-1.3.12/pkg.contrib/sign.sh server1.csr
CA signing: server1.csr -> server1.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'PH'
stateOrProvinceName :PRINTABLE:'Metro Manila'
localityName :PRINTABLE:'Quezon City'
organizationName :PRINTABLE:'XYZ Company'
organizationalUnitName:PRINTABLE:'XYZ Web Department'
commonName :PRINTABLE:'www.xyz.foo'
emailAddress :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Apr 30 19:50:55 2001 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server1.crt <-> CA cert
server1.crt: OK
# cp server1.key /usr/local/apache/conf/ssl.key/server.key
# cp server1.crt /usr/local/apache/conf/ssl.crt/server.crt
On Fri, Apr 28, 2000 at 05:00:15PM +0800, Pablo Manalastas wrote:
> In order to make a self-signed certificate for my web server
> I need to do a 'make certificate TYPE=custom'. I tried to play
> with the many different variations of responses to
> O, OU, and CN for both CA and Subject, and some combinations
> work and others do not. If the combination does not work,
> the browser says the certificate is invalid. I found that the
> following works:
>
> CA certificate:
>
> O (organization) = host.com
> OU (organization unit) = SomeName CA
> CN (common name) = SomeName CA
> Email = [EMAIL PROTECTED]
>
> Subject (server) certificate:
>
> O (organization) = host.com (must be same as above)
> OU (organization unit) = SomeName Web
> CN (common name) = SomeName Web
> Email = [EMAIL PROTECTED]
>
> Exactly what are the rules for assigning these names so that
> the result is a valid certificate? What other combination of
> names are valid?
>
> Thanks.
-
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
