hmm, you did stop and start your apache? because restart didn't work for me either ... you'll have to stop apache and wait, until no more processes are left and then start it again.
cheers, Stefan -----Ursprüngliche Nachricht----- Von: Murali K. Vemuri [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 23. Oktober 2001 09:17 An: [EMAIL PROTECTED] Betreff: Re: issuing certificate hi, i could make a certificate in the way given by you. i copied the .crt and .key files into /etc/httpd/conf/ssl.crt/server.crt and ../ssl.key/server.key respectively and then restarted the httpd. after that i set the multi.crt ( i created like this instead of your suggested kiwi.crt) and multi.key paths in the httpd conf file in the /etc/httpd/conf/httpd.conf file . i am attaching the relevant portions of the httpd.conf file here. now, to test whether my certificate works or not, i typed openssl -x509 -noout -text -in multi.crt i observe that the certificate is same as was generted by me. but, when i open netscape and type https://yogi (it is my host name), i get the same old certificate which is "snake oil ' etc......... can some one tell me how i can get rid of that "snake oil" certificate for ever ? is there any documentation available out there? regards murali krishna vemuri Owen Boyle wrote:"Murali K. Vemuri" wrote: > > > when i type make certificate, i get a certificate signed by Snake Oil CA > > etc... > > can someone please tell me how i can change these..? > > When starting out, it is easiest to make your own certificates. Later, > you can buy a proper certificate. This is the procedure I use: > > Rgds, > > Owen Boyle. > > Making self signed certificates: > ++++++++++++++++++++++++++++++++ > > NB: These certificates contain no pass-phrase so do not need user input > when you start apache. Also, can be used by any server... > > 1) Make a random data file and set it up as $RANDFILE > > # cd /usr/local/apache/ssl/certs > # PATH=$PATH:/usr/local/apache/bin > # export PATH > # cp /var/cron/olog temp > # gzip temp > # mv temp.gz random_data > # RANDFILE=/usr/local/apache/ssl/certs/random_data > # export RANDFILE > > 2) Create a RSA private key and certificate for our Certificate > Authority > > # openssl genrsa -des3 -out ca.key 1024 > password is "CA_PASSWORD" > Now make the certificate using the private key. > # openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > 3) Now make a Certificate Signing Request for www.kiwi.com > > # openssl genrsa -des3 -out kiwi.key 1024 > # openssl rsa -in kiwi.key -out banana > # mv banana kiwi.key > # openssl req -new -key kiwi.key -out kiwi.csr > > 4) And sign it > > # ./sign.sh kiwi.csr > > Now we have > > ca.crt Certificate Authority certificate > ca.db.certs ) CA databases, holding > ca.db.index ) details of certificates > ca.db.serial ) issued > ca.key Certificate Authority private key > random_data for random routines > sign.sh script for signing certificates > kiwi.crt www.kiwi.com certificate (sent with SSL requests) > kiwi.csr KIWI certificate signing request (not really needed anymore) > kiwi.key www.kiwi.com private key (decrypts public-key encoded messages) > > - summary of commands > > # openssl genrsa -des3 -out www.kiwi.com.key 1024 > # openssl rsa -in www.kiwi.com.key -out banana > # mv banana www.kiwi.com.key > # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr > # ./sign.sh www.kiwi.com.csr > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
