Paul, This is what I used. To test with a self signed x.509 cert: openssl req -x509 -newkey rsa:2048 -keyout allugi.pem -out allugi.pem -days 365 -nodes When done testing, then for the real deal: Make a CSR openssl req -newkey rsa:2048 -out allugicsr.pem -keyout privkey.pem then, remove the passphrase from your private key file openssl rsa -in private.key -out privatekey.pem then combine them all into one final cert file: cat privatekey.pem wildcardcert.crt intermediatecert.pem rootcacert.pem > finalcert.pem I got https working in 15 minutes using the method above, which I got from here: http://www.apsis.ch/pound/pound_list/archive/2008/2008-05/1212145288000
Cheers, John John Folkers, CCNP, NCTS Sr. Network Architect UGI Utilities, Inc. 225 Morgantown Road Reading, PA 19612-3009 610.736.5413 >>> On 1/19/2010 at 10:44 am, in message <[email protected]>, "Paul Farrar" <[email protected]> wrote: Hi Dave Thanks for replying. I have actually made some good progress since I posted my mail. You are correct; I do not have the luxury of doing it the sensible way. The whole point of this is the first time we moved just 2 servers despite giving our clients loads of warnings and information about the change and the move, when push came to shove they failed. The next day the help desk was flooded with calls like "the web server is down" etc..... This time we are moving 6 servers 1 Some clients made the changes OK and worked happily, most did not. In an effort to give them more time for the respective IT department (quite a few are 3rd party support so no internal IT know-how) we have gone down this route. I now have my linux box listening on several internal IP addresses and passing the HTTP requests to a windows IIS server in the new data centre on a number of external IP addresses each with a holding page to mimic the respective web sites. I am in truth a bit chuffed that I sorted that bit. I am now trying to get the certificate bit sorted so I can do HTTPS. Any tips on this would be great. I have worked out I will have to convert the windows cert to a linux one (using pkcs12 ?) and I am just playing with that. Many thanks again Paul Farrar Operations Engineer Tel: +44 (0) 1582816483 Mobile: +44 (0) 7841167934 Email: [email protected] http://www.stepstone.com StepStone Solutions (UK) Limited 475 The Boulevard Capability Green Luton LU1 3LU England Registered in England and Wales -----Original Message----- From: Dave Steinberg [mailto:[email protected]] Sent: Tuesday 19 January 2010 15:23 To: [email protected] Subject: Re: [Pound Mailing List] Help Please > 1 Can pound fill this need ? Yup! > 2 Is it a huge task to attempt for a relative noobe Nope. This is a pretty straightforward setup. Normally I don't advise people doing things above their pay grade especially if the consequences are that your customers sites are busted and they are going to get pissed, but it sounds like you don't really have that freedom. > 3 Can anybody suggest an approach to take. Sounds like you've got an outline of how to do it already. Personally I would put your pound server in the new datacenter, test it, and then update your client's DNS to point to the pound server ahead of the larger move. But that's just me. You could set it up in the old datacenter and handle the IP-level migration later on when you're better established in the new datacenter. No real difference at the end of the day. Good luck! Regards, -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. ___________________________________________________________________________ This e-mail is intended for the use of the recipient(s) named above. This message may not be distributed by an intended recipient without the express written authorization of the sender. This message may be an attorney-client communication and as such privileged and confidential. If you are not an intended recipient you may not review copy or distribute this message. If you have received this communication in error please notify us immediately by e-mail and delete the original message and destroy all copies. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
