Eliminate warning message from Netscape?
Is there a way to eliminate the warning message from Netscape when you sign keys with your own CA? I am still getting the warning message when I connect to my Apache modssl server using Netscape after creating a server key and signing it with my own CA. brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Get rid of Warning in Netscape browser?
Couple questions. Is there a way to get rid of the message from Netscape when using your own CA? Do you need to specify your own CA in the httpd.conf? Here are the details to my questions: I followed Jose's instructions: http://www.mail-archive.com/openssl-users%40openssl.org/msg28391.html on creating my own CA and user certificate, but when I pop up my web server using my Netscape browser, it still gives the warning. I thought the whole purpose of creating the CA, the server cert, the user's cert was so the the browser would accept the server's public key without issuing warning. I am also wondering about a couple apache directives and if they are relevent and if I put the directives in the correct way. SLCACertificatePath /home/blavende/project/mefg/CA/demoCA SSLCACertificateFile /home/blavende/project/mefg/CA/demoCA/cacert.pem Here is my directory structure of my CA. /home/blavende/project/mefg/CA/demoCA /home/blavende/project/mefg/CA/demoCA/certs /home/blavende/project/mefg/CA/demoCA/crl /home/blavende/project/mefg/CA/demoCA/newcerts /home/blavende/project/mefg/CA/demoCA/newcerts/01.pem /home/blavende/project/mefg/CA/demoCA/newcerts/02.pem /home/blavende/project/mefg/CA/demoCA/private /home/blavende/project/mefg/CA/demoCA/private/cakey.pem /home/blavende/project/mefg/CA/demoCA/serial /home/blavende/project/mefg/CA/demoCA/index.txt /home/blavende/project/mefg/CA/demoCA/cacert.pem /home/blavende/project/mefg/CA/demoCA/serial.old /home/blavende/project/mefg/CA/demoCA/index.txt.old brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Makefile for client keys
For the SSLCACertificatePath directive, it mentions that you must use a Makefile to create the indexes. Where do I find this Makefile? http://www.modssl.org/docs/2.8/ssl_reference.html#ToC13 brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Configuring my own CA
I am trying to configure my web server so when user brian attempts to connect to https://myhost/brian/ it authenticates him via his certificate and it allows him to view the directory. I successfully compiled apache + modssl with a test certificate signed by Snake Oil. So, here goes on the questions. Do I need to create my own Certificate Authority? If I create my own CA, how do I get Netscape to use it as a CA? I am using Netscape 4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform that function? Do I need to create a certificate for Brian? Does it have to be signed by the CA? Here are the answers I came up with so far. It looks like I need to create a CA and that I can run it on the my modssl alongside the server.crt. Here is how I created the CA $ openssl genrsa -des3 -out ca.key 1024 I created a self signed CA certificate. $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt So this created my certificate authority certificate. I created at server.key. The CN for the server.key is the FQDN of my modssl web server. $ openssl genrsa -des3 -out server.key 1024 I created a request (server.csr) using that server key. openssl req -new -key server.key -out server.csr Then I signed the server key with the command: $ ./sign.sh server.csr which produced a server.crt file. So, it looks like I have a CA and the server certificate. I create a key for myself which I signed using the CA. $ openssl genrsa -des3 -out brian.key 1024 $ openssl req -new -key brian.key -out brian.csr $ sign.sh brian.csr Then I end up with the following files. brian.crt ca.crt ca.db.serial server.crt brian.csr ca.db.certs/ ca.key server.csr brian.key ca.db.indexfile.p12 server.key I can't seem to import my key (brian.crt) into my Netscape browser though. Is there some other format I need to import it into? brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]