Full_Name: Walt Lillyman Version: mod_ssl-2.1.8-1.3.4 OS: Red Hat Linux 5.2 Submission from: outb248.codamc.com (199.217.218.248) My $350 Verisign cert doesn't work, but self-signed certs do, so this is really a request for help in generating a good CSR to get a good cert from Verisign that matches my private key. I appreciate any advice. The output from ssleay rsa -noout -text -in server.key ssleay x509 -noout -text -in server.crt looks OK; no error messages. The output from ssleay rsa -noout -modulus -in server.key | ssleay md5 ssleay x509 -noout -modulus -in server.crt | ssleay md5 produces very different hex numbers, which I assume means they don't match, and won't work. In fact, they don't work, and I get "write:errno=32" from s_client -connect myservername.mydomain.com:443 -state -debug So, I gotta give Verisign another $100 to get this right. Here's what I did; any advice what I did wrong? I generated a private key with ssleay genrsa -des3 -out server.key 1024 I generated a CSR with ssleay req -new -days 365 -key server.key -out server.csr It used the config from ssleay.cnf. Is there anything in there that I should change? I specified [St Louis] as Locality Name, not [Saint Louis], like Verisign says. Would that really screw up the cert? (I know... I'm _reaching_...) I specified an 'extra' attribute of a challenge password, should I leave all 'extra' attributes blank? The CSR submitted OK. I received the cert. I ignored Verisign's errant documentation about how to install it, and I moved it into the ssl.crt directory. I ran Make to update the hashlinks. I ensured my private key was in place in ssl.key. I ensured they were both pointed to in httpd.conf. I stopped and started the secure server. It asked for and accepted my pass phrase. I can connect via http, but connection attempts to https result in "network connection was refused by the server" in Netscape Communicator 4.5, and "[error] Unable to configure server private key for connection" in ssl_engine_log and error_log. I moved back my self-signed certs and everything is peachy. How do I get a good cert out of Verisign? Thanks again for any help. Walt; ______________________________________________________________________ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
