On 10/31/2014 02:39 AM, Gavin Jones wrote: > Hey Randy, > Thanks for your reply, yes you have some good points. > > openssl x509 -in rootca.crt -noout -text | grep -i Version: > Version: 3 (0x2) > openssl x509 -in pulp01.rap.local.crt -noout -text | grep -i Version: > Version: 1 (0x0) > > openssl x509 -in pulpca.crt -noout -text | grep -i Version: > Version: 3 (0x2) > This step: openssl x509 -req -days 3650 -CA pulpca.crt -CAkey pulpca.key > -set_serial 01 -in pulp01.rap.local.csr -out pulp01.rap.local.crt > produces an SSLv1 Cert NOT an SSLv3 Cert...need to modify this somehow...
This all looks OK - the httpd certificate does not need to be a v3 certificate (and should not be a CA certificate). > vim /etc/httpd/conf.d/ssl.conf > > SSLCertificateFile /etc/pki/pulp_certs/pulpca.crt > SSLCertificateKeyFile /etc/pki/pulp_certs/pulpca.key > SSLCACertificateFile /etc/pki/pulp_certs/pulpca_chain.crt I mentioned in my other e-mail that the SSLCACertificateFile needs to be unchanged because it's also set in pulp.conf to the correct value. Also, you shouldn't use your CA for the certificate and certificate key - those need to be that v1 certificate.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list