Juan Martinez wrote:
> I've generated a dummy certificate and the httpsd daemon
> starts. When I try to load a page however, the client shows
> a "Network: Broken Pipe" error. For each attempt to read a
> page, the httpsd error log shows something like:
>
> [Tue Jul 11 10:54:07 2000] [notice] child pid 8946 exit signal
> Segmentation fault (11)
You've probably got your certificates and keys mixed up. Try using the
attached script.
MSG
#!/bin/sh
#
# This is a self documenting shell script. It is intended that you read
# this file before executing it.
# There are a few things that should be checked further:
# 1) This script creates new private keys for every CSR. As far as I know,
# you can create any number of CSR's using the same key. Are there any
# advantages/disadvantages to creating news keys for each certificate?
# Should we be reusing keys?
# 2) This script unencrypts the private key so that apache can use it.
# Does apache-ssl need the key to function? If not, we can avoid
# keeping an unencrypted key around, and avoid specifying that file
# in apache's configs.
#
# This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>,
# so that we can keep an archival copy of all certificates, and related
# files.
# Once finished, the certificate should be placed in /usr/local/ssl/certs,
# and the private key (unencrypted) should be in /usr/local/ssl/private
#
# All of the files in /usr/local/ssl/private should be mode 0400, and owned
# by root. Apache will read them as root, before it drops root permissions.
# The original keys should also be mode 0400 and owned by root.
#
PATH=$PATH:/usr/local/ssl/bin
#
# Give the domain name as the first argument to this script.
#
DOMAIN=$1
[ "$DOMAIN" = "" ] && {
echo "No domain given"
exit 1
}
#
# If you wish to have an organization's name attached to this certificate,
# then it should be the second argument to this script.
# Because SSL does not require this field, no default is given. However,
# Thawte may require an organization's name to be attached to a certificate,
# so this script SHOULD be called as:
# ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>"
#
ORG=$2
[ "$ORG" = "" ] && {
echo "No organization name given, using \".\""
ORG="."
}
EMAIL=$3
[ "$EMAIL" = "" ] && {
echo "No email address given, using [EMAIL PROTECTED]"
[EMAIL PROTECTED]
}
#
# The first step in generating a certificate is to generate a CSR, or
# certificate request. This step will also generate an encrypted,
# private key, called privkey.pem. Don't lose this file, or the
# password used to encrypt the key. That would be bad.
#
openssl req -new > ${DOMAIN}.csr <<EOF
US
Washington
Ellensburg
${ORG}
.
${DOMAIN}
${EMAIL}
EOF
#
# Now, we remove the password (unencrypt) from the domain's private key.
# The resulting key is used by apache.
#
openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key
#
# Finally, use the CSR (certificate request) and our own private key to
# create a "self signed" certificate. This certificate can be used
# until a certificate signed by a known authority (eg Thawte) is
# available.
#
openssl x509 -in ${DOMAIN}.csr \
-out ${DOMAIN}.cert \
-req -signkey \
${DOMAIN}.cert.key -days 365
#
# I'm renaming this file for consitancy.
#
mv privkey.pem $DOMAIN.privkey.pem
#
# We should now have the following files:
# DOMAIN.privkey.pem The PEM encrypted private key
# DOMAIN.key The unencrypted private key used by apache
# DOMAIN.csr The certificate request used by Thawte
# DOMAIN.cert The certificate that we signed
#
