Re: [MLUG] server site certificates (was "network cables?")

[Rob Judd <EMAIL:PROTECTED>]

On Thu, 15 Mar 2001, Blake C. Lewis wrote:

[ snip]

> o   The complete mod_ssl documentation is included in the mod_ssl package and
>     browseable under http://localhost/manual/mod/mod_ssl/.

[ as I said I finally got around to reading the Fine material ]

> o   To generate a certificate signing request suitable for submission to a
>     Certificate Authority, execute the following commands:

[ snip ]

> There is one question that the above procedure ask that you must
> answer right(with your machine name) or you will continue getting the
> same message. From the words used it is not straight forward what is
> to answered. The second or third time through you'll figure it out
> though. Anybody please correct me if I'm wrong....

Well this was the whole point of the original problem.  So here is the
bare-hands approach.  I got most of this from the documentation (the ssl
faq from the mod_ssl docs).  You must have openssl installed, but that's a
given if you have mod_ssl installed and working.

Two parts (1) Create your own Certification Authority (CA), (2) Create a
server certificate and sign it using your CA. Of course this is
self-signed, but useful for personal purposes (and anyone who trusts you).

(1) Create the CA - make a directory, say /usr/local/apache/src/cert and
cd to it.  Do everything form there:

Create an RSA private key for the CA:
	openssl genrsa -des3 -out ca.key 1024
You can see the details of this RSA private key via the command
        openssl rsa -noout -text -in ca.key

Create a self-signed CA Certificate (X509 structure) with the RSA key of
the CA:
        openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You will have to answer a whole load of questions, but they are really
informational - the people viewing the certifcate will be able to see
whatever you put there.

You can see the details of this Certificate via the command:
        openssl x509 -noout -text -in ca.crt

(2) Create a server certificate

Create a RSA private key for your Apache server
	openssl genrsa -des3 -out server.key 1024
You can see the details of this RSA private key via the command:
        openssl rsa -noout -text -in server.key
Create a Certificate Signing Request (CSR) with the server RSA private
key
        openssl req -new -key server.key -out server.csr

This will ask a load of questions.  Most of it is informational, but to
ensure that you don't get your browser complaining at you with "the site
name on this certfiicate is not the same as the name of the server" make
sure that the ___Common Name___ field has the name of your server as given
by the ServerName directive in httpd.conf.

Here's what the documentation says (if what I said isn't clear enough):
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server
when OpenSSL prompts you for the "CommonName", i.e. when you generate a
CSR for a website which will be later accessed via https://www.foo.dom/,
enter "www.foo.dom" here.

You can see the details of this CSR via the command
	openssl req -noout -text -in server.csr
Do this and make sure the "CN" field has your server name correct.

To sign the script using your CA you need the script sign.sh that should
have been provided with mod_ssl.  I can send it to you if you can't find
it.  The script is short, but sufficiently complicated to make it
necessary.  Anyway, if you did all this in the same directory, then you
can do
	/path/to/script/sign.sh server.csr
and you will get the certificate server.crt.

Then it is just a matter of copying server.crt and server.key to wherever
httpd.conf expects them to be and restarting the server (restart as in
stop/sslstart - "restart" or "kill -HUP pid" are not enough).

Let me know if this works or not.

Rob

--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/