Hello Dr. Henson, And thank you again for this advice.
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > I suggest you ignore that script: and use the CA.pl > script and the appropriate > documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? 4. And finally, since I am basically new in the field of openssl and have only come across this kind of open source toolkit from school. May I ask some of you the benefits of openssl in general if properly implemented alongside apache intended for a secured web site? All I know is that OpenSSL is a robust, commercial-grade, full-featured Open Source method of implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general-purpose cryptography library as what we have been taught from school. Any links, reading materials and the like for newbies would be great. Thank you very much Dr. Henson and special thanks/mention to the kind replies of Mr. Ringaby and Mr. Sylvester. More power to this group! Sincerely, Servie > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
