On Tue, Jan 11, 2005, Servie Platon wrote:

> Hello Dr. Henson,
> 
> And thank you again for this advice.
> 
> --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> 
> > I suggest you ignore that script: and use the CA.pl
> > script and the appropriate
> > documentation instead.
> 
> As suggested by you, I used the CA.pl script which
> works okay. On this issue, I would like to ask some
> follow-up questions:
> 
> 1. Do I have to move server.key and ca.key to
> /etc/ssl/private and ca.crt /etc/ssl/certs directory
> respectively?
> 

If you used CA.pl correctly there wont be a 'server.key' file initially. The
private key wil be in newreq.pem. 

You dont' need to move ca.key at all.

What you need to do is move newreq.pem to wherever the server private key
needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the
new certificates) and copy the CA certificate which is in demoCA/cacert.pem.

> 2. Since the command sign.sh server.csr does not work
> because the sign.sh script is kind of obsoleted
> already, do I have to move newreq.pem to the directory
> /etc/ssl/certs if in case I issued the command
> /etc/ssl/misc/CA.pl -newcert to create a new
> certificate? And would it be okay if I remove
> server.csr from the /etc/ssl directory?
> 
> 3. I would like to secure my keys and certificate by
> doing a chmod on the following:
> 
> # chmod 750 /etc/ssl/private/
> # chmod 400 /etc/ssl/certs/ca.crt
> # chmod 400 /etc/ssl/certs/newreq.pem
> # chmod 400 /etc/ssl/private/ca.key
> # chmod 400 /etc/ssl/private/server.key
> 
> Would this be suffice enough as a security measure to
> protect the integrity of the certificate itself?
> 

Yes the 400 permissions is OK, though you only really need it on the private
key.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to