I'm using the CA.pl script provided with openssl in order to create a CA
and then produce a self-signed certificate. I'm just looking for
confirmation that I'm going through the correct steps and putting the
right values into Apache.
All commands are issued from /home/dan/CA. The Apache directives
point at the files in question rather than their ultimate destination off
somewhere else. This is just for testing. Kids, don't do this at home....
perl CA.pl -newca
perl CA.pl -newreq
perl CA.pl -sign
openssl rsa < newreq.pem > newkey.pem
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out
iestuff.p12
I imported iestuff.p12 into my MSIE browser and select that certificate
when prompted by the browser.
I then used the following SSL related values in my SSL vhost:
SSLEngine on
SSLCertificateFile /home/dan/CA/demoCA/cacert.pem
SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key
SSLCACertificatePath /home/dan/CA/demoCA/
SSLCACertificateFile /home/dan/CA/demoCA/cacert.pem
<Location /securelocation>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
Note that I'm using the CA certificate and key for the SSL and the
SSLCA information. Does that make sense? I tried this:
SSLCACertificatePath /home/dan/CA/
SSLCACertificateFile /home/dan/CA/newcert.pem
But if I use that combination, my browser certificate is not listed in the
"Client Authentication" dialog box presented by the browser when I go
to /securelocation.
Why? What have I misunderstood?
thanks.
--
Dan Langille
pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
