Re: Problems compiling mod_ssl with apache 2.0.44
I have just got an email from another user of RH8 which has the same problem. I have told him to post it on the list. So looks like there is a problem. Sasa On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
I have forgot...Original instalation of RH8 has openssl in /usr/include/openssl and there are all the headers. Since this is a version 0.9.6.b I have decided to upgrade. I have made prefix=/usr/include and openssldir=/usr/include/openssl. So after the instalation it put the binary dir to /usr/include and to the /usr/include/openssl dirs apps, lib,etc. In /usr/include there are no headers so I have manually copy them to /usr/include/openssl. On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
Ok, I have found the problem. If you want to have files in the same directories as original instalation of RH8 you have to use ./config --prefix=/usr. Sorry for that confusion. It is the distribution which is strange. Sasa On 2/8/2003 10:22 AM, Sasa STUPAR a écrit: I have forgot...Original instalation of RH8 has openssl in /usr/include/openssl and there are all the headers. Since this is a version 0.9.6.b I have decided to upgrade. I have made prefix=/usr/include and openssldir=/usr/include/openssl. So after the instalation it put the binary dir to /usr/include and to the /usr/include/openssl dirs apps, lib,etc. In /usr/include there are no headers so I have manually copy them to /usr/include/openssl. On 2/8/2003 12:48 AM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Well RH8 has openssl bundled though probably not with the headers, and I can't say much else about what RH might be doing because I don't use it. However, trying to install to a prefix of /usr/include would be pretty terrible - as it will install all binaries, libraries, and include files in *sub-directories* of /usr/include! Are you sure you did this, or did you mean /usr/local? Anyway, I'd be interested to see a log of this problem if you wouldn't mind? If there's an openssl bug inside it, I'll try and get it identified and fixed for the next release (0.9.7a). Eg. could you please repeat your steps and send me the logs as; # ./config [...] 1 c1.log 2 c2.log # make [...] 1 m1.log 2 m2.log # make install 1 i1.log 2 i2.log or something like that? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
Prior to the instalation I have manually removed old version of Openssl and other dirs from my previous installs and I have no problem...everything works well. Thanks for info. Sasa On 2/8/2003 7:08 PM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: Ok, I have found the problem. If you want to have files in the same directories as original instalation of RH8 you have to use ./config --prefix=/usr. Sorry for that confusion. It is the distribution which is strange. Phew, I was starting to wonder what I was missing here :-) As I mentioned originally, using /usr/include as an installation prefix doesn't make sense because it will create the standard {include,bin,man} tree beneath that and install. Hence /usr or /usr/local make more sense. Also, especially on package management systems like RH, you're better not to simply install *over* existing files, particularly as a newer version of openssl may have removed headers that were in a previous version, so the old ones will end up mixed up with the new ones. And of course if a bug-fix release is made by RH to the older version, eg. 0.9.6x, that could seriously screw things up if you'd installed 0.9.7 over the top. It could also totally mangle your system's RPM database, and various other carnage is possible. The solution is to either grapple with RH's dependencies to try and build a replacement openssl RPM from source to upgrade to (which many will tell you is an only slightly less difficult problem than the alchemy of gold itself) or to install openssl elsewhere and make sure your system paths are organised appropriately. Eg. you could use /usr/local or /opt as a place to manually install packages such as a newer openssl, and make sure that the bin subdirectory is earlier in PATH than /usr/bin, ditto for the lib subdirectory in /etc/ld.so.conf, the man subdirectory in /etc/man.config, and so on ... BTW: You should check your /usr/include tree that there aren't bits and pieces of openssl cruft in there left over from your previous efforts - eg. your previous installation attempts probably created weird directories like /usr/include/bin, /usr/include/include, etc. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems compiling mod_ssl with apache 2.0.44
I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. On 2/7/2003 10:25 AM, Erik Melkersson a écrit: Hi! Thanks for the reply. Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-ssl --with-openssl=/service/apache2/openssl/ ...lots of rows... make ...lots of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/service/apache2/openssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/usr/local/ssl/lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_hook_UserCheck': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:875: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1206: undefined reference to `OPENSSL_free' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1210: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify_CRL': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1469: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `modssl_proxy_info_log': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1507: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_rand.lo): In function `ssl_rand_seed': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_rand.c:125: undefined reference to `RAND_egd' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_rand.c:163: undefined reference to `RAND_status' modules/ssl/.libs/mod_ssl.al(ssl_engine_vars.lo): In function `ssl_var_lookup_ssl_cert':
Re: Problems compiling mod_ssl with apache 2.0.44
No, It doesn't. I have compiled it with prefix /usr/include and openssldir /usr/include/openssl and there are no headers. I haven't noticed it on first but when I wanted to compile apache with mod_ssl it returns an error that it was unable to find headers for ssl. Is there someone else reporting the same problem ? Maybe is this related to the RedHat8 distrubution only. Sasa On 2/7/2003 7:17 PM, Geoff Thorpe a écrit: * Sasa STUPAR ([EMAIL PROTECTED]) wrote: I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. It doesn't? It certainly should - can you please double-check this and report the details to me if it's true? Noone (to my knowledge) has reported this problem and openssl 0.9.7 has been through a fairly extensive beta testing period (during which the header installation didn't AFAICS require any hacking). Cheers, Geoff smime.p7s Description: S/MIME Cryptographic Signature
Re: Create new SSL certificate for https
use this command: openssl req -config openssl.cnf -new -out xxx.csr openssl rsa -in privkey.pem -out xxx.key openssl x509 -in xxx.csr -out xxx.cert -req -signkey xxx.key -days 365 openssl x509 -in xxx.cert -out xxx.der.crt -outform DER cy user a écrit: I need to create new certificate's for my apache server. I'm a little confused on how to do this. Does anyone have a good link they can tell me or anything. Thanks Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Redirection
Hi ! I have set up Apache 2.0.43+mod_ssl and it is working fine. Now I would like to redirect all request for http://myserver to https://myserver-ssl but with option Redirect I don't get by - it tells me that there is to many relays or something like this. I have looked for mod_revrite but since I am a newbie I don't understand what should I do with it. Can anyone help me with this, please ? Sasa smime.p7s Description: S/MIME Cryptographic Signature
Re: changing certificate
Just find it on the disc and delete it. Gilberto Garcia Jr. wrote: Is there any way to erase the certificate and create a new one? thks smime.p7s Description: S/MIME Cryptographic Signature
Re: Problems with creating own CA
Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? Sasa STUPAR wrote: Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Ok I have made a server certificate and a client certificate. I have configured apache and ssl.conf with everything necesary BUT when I try to conect to myserver:443 it tells me connection has been refused. Any idea ? Maurizio Marini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Please help !!!!
Hi ! I have configured Apache 2.0.43 with mod_ssl and I have created CA and client certificates but now I cannot acces my ssl server https://myserver;. What have I made wrong? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with creating own CA
Hi ! I am trying to create my own CA. The creation of a key file is fine. When I try to create a CSR file I get back an error unable to find a 'distinguished_name' in config. I am runing on winXP with openssl 0.9.6g. I wanted to make a server certificate for my Apache. Please help me ! Sasa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
They are already uncommented. Here is attached my config file. Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: unable to find a 'distinguished_name' in config. in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the traditional # (and highly broken) format. name_opt= ca_default# Subject Name options cert_opt= ca_default# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK: a literal
Re: Problems with creating own CA
Well, I have added what you've told me but still the same problem. Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]