Sign a server CSR with my own CA
Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Sign a server CSR with my own CA
Search for CA.pl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann Sent: Tuesday, March 12, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Sign a server CSR with my own CA Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Antwort: RE: Sign a server CSR with my own CA
Done, but nothing found. Datum: 12.03.2002 16:14 An:<[EMAIL PROTECTED]> Antwort an:[EMAIL PROTECTED] Betreff: RE: Sign a server CSR with my own CA Nachrichtentext: Search for CA.pl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann Sent: Tuesday, March 12, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: Sign a server CSR with my own CA Hi, I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache 1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) based on OpenSSL (0.9.6a). I created my own server CRT (passed some problems, e.g. redirect config file in openssl req, download missing openssl.cnf from www.modssl.org) and build my own CA. But now I have problems to sign the CRT with my own CA, because there is no sign.sh script for WinNT. I tried it with 'openssl ca' and go through several error messages (last was missing index.txt). Does anybody succeeded in this? Or has anybody another solution? kind regards Markus -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Antwort: RE: Sign a server CSR with my own CA
Markus, It's a rather involved process, but here's what I did to get it to work. It's not the most elegant of methods, but it will get you started. 1) You'll need to generate your RSA keys for both your server and ca: -->openssl rand out random_data 65000 -->openssl genrsa passout pass:your_server_password des3 -rand random_data -out server.key 1024 -->openssl genrsa passout pass:your_ca_password des3 rand random_data -out ca.key 1024 2) Now create your CSR: -->openssl req -new passin file:your_server_password config cert.conf -key server.key -out server.csr Your "cert.conf" file should look something like: [ req ] default_keyfile = server.csr distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Califori.. uhh L = Palo-Alto O = Hewlett-Packard Co. OU = WJA emailAddress = your e-mail address CN = 123.123.123.123 3) Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted) in ca.crt -->openssl req new -x509 -passin pass:your_ca_password config cert.conf -days 365 -key ca.key -out ca.crt 4) Have the new CA sign the servers CSR and store results in server.crt. This is the tricky part. -->Create an empty file called "certIndex". -->Create a file called "certSerialNo", and put a "01" in it -->openssl ca batch passin pass:your_server_password config ca.conf out server.crt infiles server.csr Your "ca.conf" file should look something like: [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir= c:/apache2/certificates/temp # top dir new_certs_dir = c:/apache2/certificates/temp # new certs dir database = c:/apache2/certificates/temp/certIndex# index file. serial = c:/apache2/certificates/temp/certSerialNo # serial no file RANDFILE = c:/apache2/certificates/temp/random_data # random number file certificate= c:/apache2/certificates/temp/ca.crt # The CA cert private_key= c:/apache2/certificates/temp/ca.key # CA private key default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # md to use policy = policy_any# default policy [ policy_any ] localityName = supplied countryName= supplied stateOrProvinceName= supplied organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional That should do it. There are undoubtedly typo's in there somewhere. Good luck, Ed >From: "Markus Dallmann" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Antwort: RE: Sign a server CSR with my own CA >Date: Tue, 12 Mar 2002 16:51:52 +0100 > > >Done, but nothing found. > > >Datum: 12.03.2002 16:14 >An:<[EMAIL PROTECTED]> > > > > >Antwort an:[EMAIL PROTECTED] > >Betreff: RE: Sign a server CSR with my own CA >Nachrichtentext: > >Search for CA.pl > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]] On Behalf Of Markus Dallmann >Sent: Tuesday, March 12, 2002 8:14 AM >To: [EMAIL PROTECTED] >Subject: Sign a server CSR with my own CA > > > >Hi, > >I'm using a win32 binary version of Perl 5.6.1, mod_perl 1.25 and Apache >1.3.20, which also includes the apache module mod_ssl (2.8.4-1.3.20) >based on OpenSSL (0.9.6a). > >I created my own server CRT (passed some problems, e.g. redirect config >file in openssl req, download missing openssl.cnf from www.modssl.org) >and build my own CA. > >But now I have problems to sign the CRT with my own CA, because there is >no sign.sh script for WinNT. I tried it with 'openssl ca' and go through >several error messages (last was missing index.txt). > >Does anybody succeeded in this? Or has anybody another solution? > >kind regards > >Markus > > >-- > >Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >Informationen. Wenn Sie nicht der richtige Adressat sind oder diese >E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den >Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie >die unbefugte Weitergabe dieser Mail ist nicht gestattet. > >This e-mail may contain confidential and/or privileged information. If >you are not the intended recipient (or have received this e-mail in >error) please notify the sender immediately and destroy this e-mail. Any >unauthorized copying, disclosure or distribution of the material in this >e-mail is strictly forbidden. > > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > >__
How to debug an https connection
Is there a way to debug https connections with Apache+Mod_SSL? We have som compatibility issue with IE and our web application. We'd like to know what's going on at a lower level but everything is encrypted, Thanks, Pierre __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How to debug an https connection
You can sniff traffic using ssldump. URL below. In addition, turn up your debug on your SSLEngine & monitor your logs http://www.rtfm.com/ssldump/ Best.. Thomas Porter, Ph.D. ScorpionPoint Security -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pierre Carette Sent: Tuesday, March 12, 2002 3:12 PM To: [EMAIL PROTECTED] Subject: How to debug an https connection Is there a way to debug https connections with Apache+Mod_SSL? We have som compatibility issue with IE and our web application. We'd like to know what's going on at a lower level but everything is encrypted, Thanks, Pierre __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]