I hope you find the attached file useful... -Stathis Praise wrote:
Hi all.
I am trying to set up SSL for the first time. I would like to use SSL for POP3 and HTTPD, but after a week of work I still have no result. I have read all the documentation I have found about mod_ssl and openssl, but I still can hardly understand how to generate and manage my certificates: I would like that someone could explaing me how to do that, basically. I find all the docs confusing myself. Note that I am not a bank and I am not running an ecommerce web server, so I am not planning to sign verisign or something like that at all.
Here it is what I have been trying:
xearo7:/usr/share/ssl/misc # ./CA.pl -newca xearo7:/usr/share/ssl/misc # ./CA.pl -newreq <somequestions> xearo7:/usr/share/ssl/misc # ./CA.pl -sign Using configuration from /usr/share/ssl/openssl.cnf unable to load CA private key 1570:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: ANY PRIVATE KEY Signed certificate is in newcert.pem
I have configured my openssl.cnf file reading the HOWTO. I have no idea about those error messages, and I do not know if I am using the right commands to create my certificates. Help is VERY MUCH needed:-)
TIA, Praise
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Rouvas Stathis rouvas@di.uoa.gr http://www.di.uoa.gr/~rouvas from : http://www.apache-ssl.org Basic: -------- openssl req -new > new.cert.csr openssl rsa -in privkey.pem -out new.cert.key openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 To encrypt/decrypt files on local disk: ------------ Method 1: encodes with rc4, output is base64 e:openssl base64 -in file | openssl rc4 -k key | openssl base64 -out file.crypted d:openssl base64 -d -in file.crypted | openssl rc4 -d -k key | openssl base64 -out file Method 2: encodes with blowfish-cbc, output is base64, password from stdin e:openssl bf -a -salt -in file.txt -out file.bf d:openssl bf -d -a -salt -in file.bf -out file.bf Extra Info: --------- Now I've got my server installed, how do I create a test certificate? Step one - create the key and request: openssl req -new > new.cert.csr Step two - remove the passphrase from the key (optional): openssl rsa -in privkey.pem -out new.cert.key Step three - convert request into signed cert: openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365 The Apache-SSL directives that you need to use the resulting cert are: SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key ------------- How do I create a client certificate? Step one - create a CA certificate/key pair, as above. Step two - sign the client request with the CA key: openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey my.CA.key -CA my.CA.cert -CAkey my.CA.key -CAcreateserial -days 365 Step three - issue the file 'client.cert.cert' to the requester. The Apache-SSL directives that you need to validate against this cert are: SSLCACertificateFile /path/to/certs/my.CA.cert SSLVerifyClient 2