Hi Ed,
works fine! Many thanks Markus PS: Only one typo, I corrected below for others convenience. Datum: 12.03.2002 19:20 An: [EMAIL PROTECTED] Antwort an: [EMAIL PROTECTED] Betreff: Re: Antwort: RE: Sign a server CSR with my own CA Nachrichtentext: Markus, It's a rather involved process, but here's what I did to get it to work. It's not the most elegant of methods, but it will get you started. 1) You'll need to generate your RSA keys for both your server and ca: -->openssl rand -out random_data 65000 -->openssl genrsa -passout pass:your_server_password -des3 -rand random_data -out server.key 1024 -->openssl genrsa -passout pass:your_ca_password -des3 -rand random_data -out ca.key 1024 2) Now create your CSR: -->openssl req -new -passin (strikethrough: file)pass:your_server_password -config cert.conf -key server.key -out server.csr Your "cert.conf" file should look something like: [ req ] default_keyfile = server.csr distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Califori.. uhh L = Palo-Alto O = Hewlett-Packard Co. OU = WJA emailAddress = your e-mail address CN = 123.123.123.123 3) Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted) in ca.crt -->openssl req -new -x509 -passin pass:your_ca_password -config cert.conf -days 365 -key ca.key -out ca.crt 4) Have the new CA sign the server's CSR and store results in server.crt. This is the tricky part. -->Create an empty file called "certIndex". -->Create a file called "certSerialNo", and put a "01" in it -->openssl ca -batch -passin pass:your_server_password -config ca.conf -out server.crt -infiles server.csr Your "ca.conf" file should look something like: [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = c:/apache2/certificates/temp # top dir new_certs_dir = c:/apache2/certificates/temp # new certs dir database = c:/apache2/certificates/temp/certIndex # index file. serial = c:/apache2/certificates/temp/certSerialNo # serial no file RANDFILE = c:/apache2/certificates/temp/random_data # random number file certificate = c:/apache2/certificates/temp/ca.crt # The CA cert private_key = c:/apache2/certificates/temp/ca.key # CA private key default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use policy = policy_any # default policy [ policy_any ] localityName = supplied countryName = supplied stateOrProvinceName = supplied organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional That should do it. There are undoubtedly typo's in there somewhere. Good luck, Ed >From: "Markus Dallmann" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Antwort: RE: Sign a server CSR with my own CA >Date: Tue, 12 Mar 2002 16:51:52 +0100 > > >Done, but nothing found. > > >Datum: 12.03.2002 16:14 >An: <[EMAIL PROTECTED]> > > > > >Antwort an: [EMAIL PROTECTED] > >Betreff: RE: Sign a server CSR with my own CA >Nachrichtentext: > >Search for CA.pl > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann >Sent: Tuesday, March 12, 2002 8:14 AM >To: [EMAIL PROTECTED] >Subject: Sign a server CSR with my own CA > > > >Hi, > >I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache >1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) >based on OpenSSL (0.9.6a). > >I created my own server CRT (passed some problems, e.g. redirect config >file in openssl req, download missing openssl.cnf from www.modssl.org) >and build my own CA. > >But now I have problems to sign the CRT with my own CA, because there is >no sign.sh script for WinNT. I tried it with 'openssl ca' and go through >several error messages (last was missing index.txt). > >Does anybody succeeded in this? Or has anybody another solution? > >kind regards > >Markus > > >-- > >Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >Informationen. Wenn Sie nicht der richtige Adressat sind oder diese >E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den >Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie >die unbefugte Weitergabe dieser Mail ist nicht gestattet. > >This e-mail may contain confidential and/or privileged information. If >you are not the intended recipient (or have received this e-mail in >error) please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this >e-mail is strictly forbidden. > > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > > > > >-- > >Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail >irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und >vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte >Weitergabe dieser Mail ist nicht gestattet. > >This e-mail may contain confidential and/or privileged information. If you >are not the intended recipient (or have received this e-mail in error) >please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this >e-mail is strictly forbidden. > > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager majordomo@modssl. _________________________________________________________________ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
