Re: Problems with creating own CA
Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? Sasa STUPAR wrote: Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Ok I have made a server certificate and a client certificate. I have configured apache and ssl.conf with everything necesary BUT when I try to conect to myserver:443 it tells me connection has been refused. Any idea ? Maurizio Marini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with creating own CA
Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: unable to find a 'distinguished_name' in config. in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
They are already uncommented. Here is attached my config file.
Maurizio Marini a écrit:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote:
unable to find a 'distinguished_name' in config.
in your openssl.cnf you should uncomment lines regarding distinguished_name;
otherwise re-post with it attached
- --
Maurizio Marini
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q
o2atqXF6nX4goCsODTV7hmo=
=ldnj
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the -extfile option of the
# openssl x509 utility, name here the section containing the
# X.509v3 extensions to use:
# extensions=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default# The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE= $dir/private/.rand# private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the traditional
# (and highly broken) format.
name_opt= ca_default# Subject Name options
cert_opt= ca_default# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions= crl_ext
default_days= 365 # how long to certify for
default_crl_days= 30# how long before next CRL
default_md = md5 # which md to use.
preserve= no# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
[ req ]
default_bits= 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK: a literal
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Well, I have added what you've told me but still the same problem. Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:53 pm, Sasa STUPAR wrote: I have here made a printscr and save it in a word doc. Please look at it, maybe it will give same clue. in fact! it seems that you lack openssl.conf pathname in your env vars check your env a search for something realted to this byez! - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95lSF4Q/49nIJTlwRAnh5AJ4n0nqzTCd1dBaOjpx7KewlUyNucACfbxQe /Z2RE3roRyop6t0s4v4iXAI= =/YNG -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
