[EMAIL PROTECTED] wrote:
>
> I have been trying to create server keys and certificates from my apache
> webserver all week. I am running openss-0.9.6 apache_1.3.20 and
> mod_ssl-2.8.4-1.3.20 on a Solaris box 2.5.1 The only instructions I have are
> from www.modssl.org/docs/2.8/ssl_faq.html. It fails right at the end of the
> process. Error 18 says from the manual
> "The passed certificate is self signed and the same certificate cannot be found
> in the list of trusted certificates.
The attached process worked fine for me... Check you're doing the same
thing (looked like it to me).
Rgds,
Owen Boyle.
Making self signed certificates:
++++++++++++++++++++++++++++++++
NB: These certificates contain no pass-phrase so do not need user input
when you start apache. Also, can be used by any server...
1) Make a random data file and set it up as $RANDFILE
# cd /home/apache/ssl/certs
# PATH=$PATH:/home/apache/bin
# export PATH
# cp /var/cron/olog temp
# gzip temp
# mv temp.gz random_data
# RANDFILE=/home/apache/ssl/certs/random_data
# export RANDFILE
2) Create a RSA private key and certificate for our Certificate Authority
# openssl genrsa -des3 -out ca.key 1024
password is "CA_PASSWORD"
Now make the certificate using the private key.
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
3) Now make a Certificate Signing Request for www.kiwi.com
# openssl genrsa -des3 -out kiwi.key 1024
# openssl rsa -in kiwi.key -out banana
# mv banana kiwi.key
# openssl req -new -key kiwi.key -out kiwi.csr
4) And sign it
# ./sign.sh kiwi.csr
Now we have
ca.crt Certificate Authority certificate
ca.db.certs ) CA databases, holding
ca.db.index ) details of certificates
ca.db.serial ) issued
ca.key Certificate Authority private key
random_data for random routines
sign.sh script for signing certificates
kiwi.crt www.kiwi.com certificate (sent with SSL requests)
kiwi.csr KIWI certificate signing request (not really needed anymore)
kiwi.key www.kiwi.com private key (decrypts public-key encoded messages)
- summary of commands
# openssl genrsa -des3 -out www.kiwi.com.key 1024
# openssl rsa -in www.kiwi.com.key -out banana
# mv banana www.kiwi.com.key
# openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr
# ./sign.sh www.kiwi.com.csr
