I have been trying to create server keys and certificates from my apache
webserver all week. I am running openss-0.9.6 apache_1.3.20 and
mod_ssl-2.8.4-1.3.20 on a Solaris box 2.5.1 The only instructions I have are
from www.modssl.org/docs/2.8/ssl_faq.html. It fails right at the end of the
process. Error 18 says from the manual
"The passed certificate is self signed and the same certificate cannot be found
in the list of trusted certificates.
I am using the default openssl.cnf file. Where is the list of trusted
certificates? The sign.sh script is from mod_ssl in the pkg.contrib directory.
Is there any documentation on the net or in print that show how to set up
openssl properly and make the keys? The following is typescript of everything I
have done including the errors at the end. Any assistance would be appreciated.
Thanks in Advance
Joe Condle
Children's Hospital of Pittsburgh Pa.
Step 1 Create real SSL server Certificate
# openssl genrsa -des3 -rand randfile -out server.key 1024
448 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
......++++++
...++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
# ls
randfile server.key sign.sh
Step 2
# openssl req -new -key server.key -out server.csr
Using configuration from /opt/openssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Pennsylvania]:
Locality Name (eg, city) []:PGH
Organization Name (eg, company) [Childrens Hospital of PGH]:
Organizational Unit Name (eg, section) [Information Services]:
Common Name (eg, YOUR name) []:www.internal.chp.edu
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# ls
randfile server.csr server.key sign.sh
Step 1 Create my own Certificate Authority
# openssl genrsa -des3 -rand randfile -out ca.key 1024
448 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
................++++++
....++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
# ls
ca.key randfile server.csr server.key sign.sh
Using configuration from /opt/openssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Pennsylvania]:
Locality Name (eg, city) []:PGH
Organization Name (eg, company) [Childrens Hospital of PGH]:
Organizational Unit Name (eg, section) [Information Services]:
Common Name (eg, YOUR name) []:www.internal.chp.edu
Email Address []:[EMAIL PROTECTED]
# ls
ca.crt ca.key randfile server.csr server.key sign.sh
# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Pennsylvania'
localityName :PRINTABLE:'PGH'
organizationName :PRINTABLE:'Childrens Hospital of PGH'
organizationalUnitName:PRINTABLE:'Information Services'
commonName :PRINTABLE:'www.internal.chp.edu'
emailAddress :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Aug 17 11:29:51 2002 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=US/ST=Pennsylvania/L=PGH/O=Childrens Hospital of
PGH/OU=Information
[EMAIL PROTECTED]
error 18 at 0 depth lookup:self signed certificate
/C=US/ST=Pennsylvania/L=PGH/O=Childrens Hospital of PGH/OU=Information
[EMAIL PROTECTED]
error 7 at 0 depth lookup:certificate signature failure
# ls
ca.crt ca.db.index ca.key randfile server.csr sign.sh
ca.db.certs ca.db.serial server.crt server.key
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
