On Tue, Jan 11, 2005, Servie Platon wrote: > Hello Dr. Henson, > > And thank you again for this advice. > > --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > > > I suggest you ignore that script: and use the CA.pl > > script and the appropriate > > documentation instead. > > As suggested by you, I used the CA.pl script which > works okay. On this issue, I would like to ask some > follow-up questions: > > 1. Do I have to move server.key and ca.key to > /etc/ssl/private and ca.crt /etc/ssl/certs directory > respectively? >
If you used CA.pl correctly there wont be a 'server.key' file initially. The private key wil be in newreq.pem. You dont' need to move ca.key at all. What you need to do is move newreq.pem to wherever the server private key needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the new certificates) and copy the CA certificate which is in demoCA/cacert.pem. > 2. Since the command sign.sh server.csr does not work > because the sign.sh script is kind of obsoleted > already, do I have to move newreq.pem to the directory > /etc/ssl/certs if in case I issued the command > /etc/ssl/misc/CA.pl -newcert to create a new > certificate? And would it be okay if I remove > server.csr from the /etc/ssl directory? > > 3. I would like to secure my keys and certificate by > doing a chmod on the following: > > # chmod 750 /etc/ssl/private/ > # chmod 400 /etc/ssl/certs/ca.crt > # chmod 400 /etc/ssl/certs/newreq.pem > # chmod 400 /etc/ssl/private/ca.key > # chmod 400 /etc/ssl/private/server.key > > Would this be suffice enough as a security measure to > protect the integrity of the certificate itself? > Yes the 400 permissions is OK, though you only really need it on the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]