On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote:
I've upgradde today, but SSL doesn't work with the old settings. I
suspect something's wrong with my self-signed certificates. If I
set SSLEngine On globally, I get this:
[Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA certificate (BasicConstraints: CA
== TRUE !?)
Yeah, the RSA cert you use for your CA to sign other certs should not
be used as a host cert for SSL. Generate a new RSA cert, generate a
CSR, and use the CA cert to sign your new RSA cert for the webserver:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -
days 365
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out
tmp.pem
openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
# (newcert.pem contains signed certificate, newreq.pem still
contains
# unsigned certificate and private key)
--
-Chuck
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
