Brian, That worked flawlessly! Thanks so much! I opted for the encrypted private key. Question: Doesn't logrotate restart my apache server as it rotates the logs? If so, I assume I'll need to be present to put in this phrase. Is there any other way to have this step eliminated?
<<JAV>> On Tue, 2003-02-18 at 14:13, Brian J. Smith-Sweeney wrote: > There is a Makefile in /usr/share/ssl/certs for generating all kinds of > stuff with openssl (csr's, certs, CA, keys, etc). You can use the > makefile by running, in that directory... > > "make ANYNAME.crt" > > where ANYNAME is what you want the crt and key files to start with (I > like to use the server name). > > This will generate a key and then guide you through the steps for > generating a crt file. The only problem is, it requires the use of a > PEM passphrase, which means every time you restart your webserver you > have to be there to type in that password. If you want to avoid this, > you can manually generate the key and make it unencrypted by typing > > /usr/bin/openssl genrsa 1024 > ANYNAME.key > > then run > > "make ANYNAME.crt" > > as above. Now you'll get guided through generating the crt as before, > but it will use an unencrypted private key and you won't have to type > the password in each time you restart apache. Of course, using an > unencrypted private key has it's own nasty implications which I'll leave > to your imagination. > > Once you have the crt and key files, you can replace the ones apache > uses in the /etc/httpd/conf/httpd.conf file (by default they are > server.crt and server.key). You can either point the conf file to the > files in /usr/share/ssl/certs, make symlinks from the /etc/httpd/conf > directory, copy the files over, etc.; however you want to set it up so > that it's intuitive. > > Once you restart the apache server, you'll be able to go to your site > with (hopefully) any browser, and remember the certificate permanently. > You don't need to create a CA with this configuration which I like. > > A little side note: when you're create that crt file, make sure when it > asks for "Common Name" that you point the name of the site you're > clients will be pointing to. For instance, if you're server's name is > "mail.example.com", but you have a DNS cname of "webmail.example.com" > and that's the name you're clients will but using, that must be what you > use as the Common Name for your cert. If you use mail.example.com, when > people go to your site their browsers will give them an error saying the > site name doesn't make the cert name. > > Good luck, > Brian > > PS-I can rarely remember the syntax for this when necessary, so I often > check the /usr/share/ssl/certs/makefile for the openssl lines I need. > > > > -- > ======================================== > Brian Smith-Sweeney > Senior Systems Administrator > University of California, Santa Barbara > Physics Department > [EMAIL PROTECTED] > (805)-893-8366 > ======================================== > > On Tue, 2003-02-18 at 10:32, Joe Polk wrote: > > Okay, I am currently using the default cert on my Red Hat mail server to > > provide (albeit crude) encryption to my web mail login page. Of course, > > this cert is issued by localhost and will not save, so each visit a use > > is prompted to accept the cert. I want to create a unique cert, but I > > don't need a full-blown Thawte cert or anything. Do I need to create a > > CA? RH7.3 doesn't appear to have CA.pl installed with OpenSSL by > > default. I assume I will need this? Any help would be appreciated. > > > > <<JAV>> > > > > > > > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
