hi, i could make a certificate in the way given by you. i copied the .crt and .key files into /etc/httpd/conf/ssl.crt/server.crt and ../ssl.key/server.key respectively and then restarted the httpd. after that i set the multi.crt ( i created like this instead of your suggested kiwi.crt) and multi.key paths in the httpd conf file in the /etc/httpd/conf/httpd.conf file . i am attaching the relevant portions of the httpd.conf file here. now, to test whether my certificate works or not, i typed openssl -x509 -noout -text -in multi.crt i observe that the certificate is same as was generted by me. but, when i open netscape and type https://yogi (it is my host name), i get the same old certificate which is "snake oil ' etc......... can some one tell me how i can get rid of that "snake oil" certificate for ever ? is there any documentation available out there? regards murali krishna vemuri
Owen Boyle wrote:"Murali K. Vemuri" wrote: > > > when i type make certificate, i get a certificate signed by Snake Oil CA > > etc... > > can someone please tell me how i can change these..? > > When starting out, it is easiest to make your own certificates. Later, > you can buy a proper certificate. This is the procedure I use: > > Rgds, > > Owen Boyle. > > Making self signed certificates: > ++++++++++++++++++++++++++++++++ > > NB: These certificates contain no pass-phrase so do not need user input > when you start apache. Also, can be used by any server... > > 1) Make a random data file and set it up as $RANDFILE > > # cd /usr/local/apache/ssl/certs > # PATH=$PATH:/usr/local/apache/bin > # export PATH > # cp /var/cron/olog temp > # gzip temp > # mv temp.gz random_data > # RANDFILE=/usr/local/apache/ssl/certs/random_data > # export RANDFILE > > 2) Create a RSA private key and certificate for our Certificate > Authority > > # openssl genrsa -des3 -out ca.key 1024 > password is "CA_PASSWORD" > Now make the certificate using the private key. > # openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > 3) Now make a Certificate Signing Request for www.kiwi.com > > # openssl genrsa -des3 -out kiwi.key 1024 > # openssl rsa -in kiwi.key -out banana > # mv banana kiwi.key > # openssl req -new -key kiwi.key -out kiwi.csr > > 4) And sign it > > # ./sign.sh kiwi.csr > > Now we have > > ca.crt Certificate Authority certificate > ca.db.certs ) CA databases, holding > ca.db.index ) details of certificates > ca.db.serial ) issued > ca.key Certificate Authority private key > random_data for random routines > sign.sh script for signing certificates > kiwi.crt www.kiwi.com certificate (sent with SSL requests) > kiwi.csr KIWI certificate signing request (not really needed anymore) > kiwi.key www.kiwi.com private key (decrypts public-key encoded messages) > > - summary of commands > > # openssl genrsa -des3 -out www.kiwi.com.key 1024 > # openssl rsa -in www.kiwi.com.key -out banana > # mv banana www.kiwi.com.key > # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr > # ./sign.sh www.kiwi.com.csr > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED]
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/httpd/conf/ssl.crt/multi.crt #SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/httpd/conf/ssl.key/multi.key #SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. SSLCACertificatePath /etc/httpd/conf/ssl.crt/ #SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/httpd/conf/ssl.crl #SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10
