caveat: the CA certificate should be created before server certificates
On Mon, 1 May 2000, Michael J. Maravillo wrote:
> Hello Doc,
>
> Pardon me if this doesn't really answer the question... Though,
> here's what I do when I create my own private CA and private
> certificate for my web server. The good thing about these
> procedures is that you can repeat steps 3 to 7 to generate
> certificates for your other web servers and have them signed *by
> the same* CA.
>
> Also, if you may want to function as some "real" private CA (sign
> server and personal certificates) and do some certificate
> management tasks, check out pyCA or OpenCA.
>
> HTH,
> Mike
>
> # 0. install a mod_ssl patched apache using "make" and "make
> # install" without running any of "make certificate ..." commands
>
> # 1. generate ca private key (ca.key)
> /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
> # 2. generate ca certificate (ca.crt) signed with ca's own private
> # key (ca.key)
> /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>
> # 3. generate web server's private key (server1.key)
> /usr/local/ssl/bin/openssl genrsa -des3 -out server1.key 1024
> # 4. generate web server's certificate signing request (server1.csr)
> /usr/local/ssl/bin/openssl req -new -key server1.key -out server1.csr
>
> # 5. ca signs web server's certificate signing request
> # and generates web server's certificate (server1.crt)
> /usr/src/mod_ssl-2.6.2-1.3.12/pkg.contrib/sign.sh server1.csr
>
> # 6. copy web server's private key (server1.key) and certificate
> # (server1.crt) where apache will find them
> cp server1.key /usr/local/apache/conf/ssl.key/server.key
> cp server1.crt /usr/local/apache/conf/ssl.crt/server.crt
>
> # 7. set the following in apache's httpd.conf
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
>
> #################################################################
> Sample Session
> #################################################################
>
> # openssl genrsa -des3 -out ca.key 1024
> Generating RSA private key, 1024 bit long modulus
> ..++++++
> ........++++++
> e is 65537 (0x10001)
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
>
> # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:PH
> State or Province Name (full name) [Some-State]:Metro Manila
> Locality Name (eg, city) []:Quezon City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Company
> Organizational Unit Name (eg, section) []:ABC Company Certificate Authority
> Common Name (eg, YOUR name) []:ABC Company CA
> Email Address []:[EMAIL PROTECTED]
>
> # openssl genrsa -des3 -out server1.key 1024
> Generating RSA private key, 1024 bit long modulus
> .......++++++
> ..................................................++++++
> e is 65537 (0x10001)
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
>
> # openssl req -new -key server1.key -out server1.csr
> Using configuration from /usr/local/ssl/openssl.cnf
> Enter PEM pass phrase:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:PH
> State or Province Name (full name) [Some-State]:Metro Manila
> Locality Name (eg, city) []:Quezon City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Company
> Organizational Unit Name (eg, section) []:XYZ Web Department
> Common Name (eg, YOUR name) []:www.xyz.foo
> Email Address []:[EMAIL PROTECTED]
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
>
> # /usr/src/mod_ssl-2.6.2-1.3.12/pkg.contrib/sign.sh server1.csr
> CA signing: server1.csr -> server1.crt:
> Using configuration from ca.config
> Enter PEM pass phrase:
> Check that the request matches the signature
> Signature ok
> The Subjects Distinguished Name is as follows
> countryName :PRINTABLE:'PH'
> stateOrProvinceName :PRINTABLE:'Metro Manila'
> localityName :PRINTABLE:'Quezon City'
> organizationName :PRINTABLE:'XYZ Company'
> organizationalUnitName:PRINTABLE:'XYZ Web Department'
> commonName :PRINTABLE:'www.xyz.foo'
> emailAddress :IA5STRING:'[EMAIL PROTECTED]'
> Certificate is to be certified until Apr 30 19:50:55 2001 GMT (365 days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> CA verifying: server1.crt <-> CA cert
> server1.crt: OK
>
> # cp server1.key /usr/local/apache/conf/ssl.key/server.key
> # cp server1.crt /usr/local/apache/conf/ssl.crt/server.crt
>
> On Fri, Apr 28, 2000 at 05:00:15PM +0800, Pablo Manalastas wrote:
> > In order to make a self-signed certificate for my web server
> > I need to do a 'make certificate TYPE=custom'. I tried to play
> > with the many different variations of responses to
> > O, OU, and CN for both CA and Subject, and some combinations
> > work and others do not. If the combination does not work,
> > the browser says the certificate is invalid. I found that the
> > following works:
> >
> > CA certificate:
> >
> > O (organization) = host.com
> > OU (organization unit) = SomeName CA
> > CN (common name) = SomeName CA
> > Email = [EMAIL PROTECTED]
> >
> > Subject (server) certificate:
> >
> > O (organization) = host.com (must be same as above)
> > OU (organization unit) = SomeName Web
> > CN (common name) = SomeName Web
> > Email = [EMAIL PROTECTED]
> >
> > Exactly what are the rules for assigning these names so that
> > the result is a valid certificate? What other combination of
> > names are valid?
> >
> > Thanks.
-
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
