On Sun, 27 Oct 2002 22:02:34 +0100
Praise
I am trying to set up SSL for the first time. I would like to use SSL for POP3 and HTTPD, but after a week of work I still have no result. I have read all the documentation I have found about mod_ssl and openssl, but I still can hardly understand how to generate and manage my certificates: I would like that someone could explaing me how to do that, basically. I find all the docs confusing myself. Note that I am not a bank and I am not running an ecommerce web server, so I am not planning to sign verisign or something like that at all.
Here it is what I have been trying:
xearo7:/usr/share/ssl/misc # ./CA.pl -newca xearo7:/usr/share/ssl/misc # ./CA.pl -newreq
I have no idea about those error messages, and I do not know if I am using the right commands to create my certificates. Help is VERY MUCH needed:-)
First for https: Go to /usr/share/doc/mod_ssl and run "certificate.sh" . That will make a certificate and key, for your site, signed by "Snakeoil Ltd." It will also put them in the right place in /etc/httpd. If you want to do the same thing, but have your cert "self-signed" instead of from "SnakeOil Ltd"; run the following script, and copy the key and cert it creates to /etc/httpd in their respective directories. ######################################################### #!/bin/sh openssl genrsa 1024 >server.key #openssl genrsa -des3 1024 >server.key #if you want it password protected, this requires an attended bootup openssl req -new -key server.key -x509 -days 365 -out server.crt ######################################################### You should keep in mind, when you answer the questions the script asks, to give the servername you set in /etc/httpd/httpd.conf for your https server. They must match. For pop ssl, I think the best thing to do is use "stunnel". Read the docs for stunnel, they give a good explanation of how to set it up. It's pretty easy, you have stunnel listen on port 110, and redirect everything to the pop server. There may be other popssl methods, but I'm not familiar with them. Also you need a ssl capable pop client. I've done it with stunnel listening on port 109, and regular pop on 110, so you have a choice. -- use Perl; #powerful programmable prestidigitation