Configuring my own CA

2002-10-17 Thread Brian Lavender 
I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed 
by the CA? 

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024 

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr 

Then I signed the server key with the command:

$ ./sign.sh server.csr 

which produced a server.crt file. So, it looks like I have a CA and the
server certificate. 

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr 

Then I end up with the following files. 

brian.crt  ca.crt ca.db.serial   server.crt
brian.csr  ca.db.certs/   ca.key server.csr
brian.key  ca.db.indexfile.p12   server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
-- 
Brian Lavender
http://www.brie.com/brian/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Configuring my own CA

2002-10-17 Thread Jose Correia (J) 
Hi Brian

Netscape needs a pckcs12 format.

I emailed the openssl list on the 16/10/2002 with subject "Re: CSR/CA
Issued Certificate"
where among other things I show how to create CA,server and client
certificates (not keys) and how to convert them to PKSC12 format and
import them into the browser.

Cheers
Jose


-Original Message-
From: Brian Lavender [mailto:brian@;brie.com]
Sent: 18 October 2002 03:30
To: [EMAIL PROTECTED]
Subject: Configuring my own CA


I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server
perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed

by the CA? 

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my
modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024 

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr 

Then I signed the server key with the command:

$ ./sign.sh server.csr 

which produced a server.crt file. So, it looks like I have a CA and
the
server certificate. 

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr 

Then I end up with the following files. 

brian.crt  ca.crt ca.db.serial   server.crt
brian.csr  ca.db.certs/   ca.key server.csr
brian.key  ca.db.indexfile.p12   server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
-- 
Brian Lavender
http://www.brie.com/brian/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]