On Wed, 2013-07-24 at 23:58 +0530, Mohan R wrote: > I did the same thing from my machine using firefox, both http and https > urls works fine but for https I have to add certificate exception.
and the ssl certificate looks horrible. * Server certificate: * subject: C=--; ST=SomeState; L=SomeCity; O=SomeOrganization; OU=SomeOrganizationalUnit; CN=localhost.localdomain; emailAddress=root@localhost.localdomain * start date: 2008-08-22 04:51:03 GMT * expire date: 2009-08-22 04:51:03 GMT * issuer: C=--; ST=SomeState; L=SomeCity; O=SomeOrganization; OU=SomeOrganizationalUnit; CN=localhost.localdomain; emailAddress=root@localhost.localdomain It looked like childish when I see localhost.localadmin being used in a reputed university's SSL certificate and not to mention, it got expired!! I think they are using the default signatures created when apache (mod_ssl) got installed in that server. If anyone here knows annauniv's webadmins, please ask them to follow the steps below to create a proper self signed ceritificate or ask them to properly have a CA signed SSL certificate (Comodo CA charges 64$ per year or ~4000/- INR, I don't think its a big money for Anna Univ). $ openssl genrsa -des3 -out server.key.withpassword 1024 Generating RSA private key, 1024 bit long modulus .......................++++++ ...........................++++++ e is 65537 (0x10001) Enter pass phrase:[enter some password] Verifying - Enter pass phrase:[enter same password again] $ openssl rsa -in server.key.withpassword -out server.key Enter pass phrase for server.key.withpassword:[type same password again] writing RSA key $ openssl req -new -key server.key -out server.crt.request You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:TamilNadu Locality Name (eg, city) []:Chennai Organization Name (eg, company) [Internet Widgits Pty Ltd]:Anna University Organizational Unit Name (eg, section) []:Computer Science Department Common Name (e.g. server FQDN or YOUR name) []:webmaster Email Address []:webmas...@annauniv.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: [leave blank] An optional company name []: [leave blank] $ openssl x509 -req -in server.crt.request -signkey server.key -days 365 -out server.crt Signature ok subject=/C=IN/ST=TamilNadu/L=Chennai/O=Anna University/OU=Computer Science Department/CN=webmaster/emailAddress=webmas...@annauniv.edu Getting Private key $ openssl verify server.crt server.crt: C = IN, ST = TamilNadu, L = Chennai, O = Anna University, OU = Computer Science Department, CN = webmaster, emailAddress = webmas...@annauniv.edu error 18 at 0 depth lookup:self signed certificate OK $ sudo mv server.key server.crt /etc/ssl/apache Finally ask the admins to add/modify following lines in /etc/httpd/conf.d/ssl.conf and restart apache server. SSLCertificateFile /etc/ssl/apache/server.crt SSLCertificateKeyFile /etc/ssl/apache/server.key Thanks, Mohan R _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc ILUGC Mailing List Guidelines: http://ilugc.in/mailinglist-guidelines