"CA.pl -newca" "CA.pl -newreq" "CA.pl -signreq"
Everything went well (no errors), and I wound up with newcert.pem and newreq.pem (as well as cacert.pem as expected).
I renamed newcert.pem and newreq.pem to help identify them.
"mv newcert.pem server.net.pem" "mv newreq.pem server.net.key"
I copied them to the Apache directories ssl.crt and ssl.key and edited the vhost-ssl.conf file to point to the proper files.
Here's the output of "openssl s_client -connect server.net:443"
root:~ # openssl s_client -connect server.net:443
CONNECTED(00000003) depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] i:/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- Server certificate -----BEGIN CERTIFICATE----- MIIDcjCCAtugAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHSW5kaWFuYTEiMCAGA1UEChMZUHlyYW1pZCBNb3J0Z2FnZSBBdWRp dGluZzEQMA4GA1UEAxMHcG1hY2VydDEkMCIGCSqGSIb3DQEJARYVc2Fua2VueUBu [redacted] 7IJxQa5W/bwcEKU+MoBlUYO1d+HDng== -----END CERTIFICATE-----
subject=/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED]
issuer=/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1450 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: A526ACD02BA92C111FFA4E63FA293521429D1827014D2B57390FA99715ED7CDB
Session-ID-ctx:
Master-Key: 09A5F29D451372431FF71B3037A9943AA3106328D8EEA7422E88750FA4102F05F39FBB5C9906B2465D6B
Key-Arg : None
Start Time: 1095188189
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
Here are the lines that bother me .....
verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate
Is there anything wrong with how I created these?
Mozilla times out when trying to connect to the server (with or without the certificate). What am I doing wrong?
Thanks for getting me this far.
Dr. Stephen Henson wrote:
You just need the examples. This will do the trick...
CA.pl -newca CA.pl -newreq CA.pl -signreq
The CA certificate is then in demoCA/cacert.pem, the new certificate in newcert.pem and the private key in newreq.pem.
Well you can check the webserver is OK using OpenSSLs s_client command:
openssl s_client -connect myhostname.org:443
If that connects OK then at least the secure server is running and seeing the certificates. Then the error might be that Mozilla doesn't like the certificates: some "guides" suggest ways that produce invalid certficates.
Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
--
"Well, you know what my dad always said? Having dreams is what makes life tolerable!"
-- Pete, Rudy's friend
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
