CA and certs
Dear list readers: I found what i believe to be the problem that i am having. When i go to sign the server.csr, i get the following error after committing: error 7 at 0 depth lookup:certificate signature failure And that is why i am getting the signature error in apache trying to connect to the https. Any ideas? -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca and certs
Dear list readers - Sorry to be such a pest, but does anyone have a ca.config that they could share with me so i can see the correct syntax of this file. I would greatly appreciate it. Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and certs
your CA information has to be different from the information listed in the key you wish to sign. Try that and it should work. hUnTeR wrote: > > Dear list readers: > > I found what i believe to be the problem that i am having. When i go to > sign the server.csr, i get the following error after committing: > > error 7 at 0 depth lookup:certificate signature failure > > And that is why i am getting the signature error in apache trying to > connect to the https. > > Any ideas? > -- > Michael B. Weiner > Systems Administrator/Partner > The UserFriendly Network (UFN) > -- > > / / (_)__ __ __ > / /__/ / _ \/ // /\ \/ / >//_/_//_/\_,_/ /_/\_\ > > * * * CHOICE OF A GNU GENERATION * * * > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Colin Faber Perl programer, Systems administration fpsn.net, Inc. [EMAIL PROTECTED] www.fpsn.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and certs
[EMAIL PROTECTED] wrote: > > your CA information has to be different from the information listed in > the key you wish to sign. Try that and it should work. > > -- > Colin Faber > Perl programer, Systems administration > fpsn.net, Inc. > [EMAIL PROTECTED] > > www.fpsn.net Colin - Here is the procedure i followed: 1) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out ca.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .+ .+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 2) /usr/share/ssl/mod_ssl/ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:UFN CA Email Address []:[EMAIL PROTECTED] 3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...+ ..+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out server.csr Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Web Development Unit Common Name (eg, YOUR name) []:www.userfriendly.net Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Ohio' localityName :PRINTABLE:'Lakewood' organizationName :PRINTABLE:'The UserFriendly Network' organizationalUnitName:PRINTABLE:'Web Development Unit' commonName:PRINTABLE:'www.userfriendly.net' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK 6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out server.key read RSA private key Enter PEM pass phrase: writing RSA private key 7) Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:35pm /usr/share/ssl/mod_ssl/ chmod 400 server.key Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:43pm /usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.crt'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:54pm /usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.key'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:59pm /usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart I restarted the webserver and STILL get the annoying message about the signature: "The server's certificate has an invalid signature. You will not be able to connect to this site securely." Now, i took your advice as evidenced above, and still got the same result. Any ideas? Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List
Re: CA and certs
> Country Name (2 letter code) [AU]:US > State or Province Name (full name) [Some-State]:Ohio > Locality Name (eg, city) []:Lakewood > Organization Name (eg, company) [Internet Widgits Pty Ltd]:The > UserFriendly Netw > ork > Organizational Unit Name (eg, section) []:Certificate Authority > Common Name (eg, YOUR name) []:UFN CA Nope, needs to be something like secure.userfriendly.net. It's the machine name, not anything else that might be hinted at by calling it Common Name. > Email Address []:[EMAIL PROTECTED] > > > 3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024 > 1112 semi-random bytes loaded > Generating RSA private key, 1024 bit long modulus > ...+ > ..+ > e is 65537 (0x10001) > Enter PEM pass phrase: > Verifying password - Enter PEM pass phrase: > > 4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out > server.csr > Using configuration from /usr/local/openssl/openssl.cnf > Enter PEM pass phrase: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a > DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > - > Country Name (2 letter code) [AU]:US > State or Province Name (full name) [Some-State]:Ohio > Locality Name (eg, city) []:Lakewood > Organization Name (eg, company) [Internet Widgits Pty Ltd]:The > UserFriendly Netw > ork > Organizational Unit Name (eg, section) []:Web Development Unit > Common Name (eg, YOUR name) []:www.userfriendly.net > Email Address []:[EMAIL PROTECTED] > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > > 5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr > CA signing: server.csr -> server.crt: > Using configuration from ca.config > Enter PEM pass phrase: > Check that the request matches the signature > Signature ok > The Subjects Distinguished Name is as follows > countryName :PRINTABLE:'US' > stateOrProvinceName :PRINTABLE:'Ohio' > localityName :PRINTABLE:'Lakewood' > organizationName :PRINTABLE:'The UserFriendly Network' > organizationalUnitName:PRINTABLE:'Web Development Unit' > commonName:PRINTABLE:'www.userfriendly.net' > emailAddress :IA5STRING:'[EMAIL PROTECTED]' > Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days) > Sign the certificate? [y/n]:y > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > CA verifying: server.crt <-> CA cert > server.crt: OK > > > 6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out > server.key > read RSA private key > Enter PEM pass phrase: > writing RSA private key > > > 7) Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:35pm > /usr/share/ssl/mod_ssl/ chmod 400 server.key > Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:43pm > /usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/ > cp: overwrite `/etc/httpd/conf/server.crt'? y > Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:54pm > /usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/ > cp: overwrite `/etc/httpd/conf/server.key'? y > Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:59pm > /usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart > > > I restarted the webserver and STILL get the annoying message about the > signature: > > "The server's certificate has an invalid signature. You will not be able > to connect to this site securely." > > Now, i took your advice as evidenced above, and still got the same > result. Any ideas? > > Regards > -- > Michael B. Weiner > Systems Administrator/Partner > The UserFriendly Network (UFN) > -- > > / / (_)__ __ __ > / /__/ / _ \/ // /\ \/ / >//_/_//_/\_,_/ /_/\_\ > > * * * CHOICE OF A GNU GENERATION * * * > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > Dom Gallagher ([EMAIL PROTECTED]) Systems Administrator Stayfree Internet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ca and certs
On Sat, Nov 06, 1999 at 03:58:36PM -0500, hUnTeR wrote: > Dear list readers - > > Sorry to be such a pest, but does anyone have a ca.config that they > could share with me so i can see the correct syntax of this file. I > would greatly appreciate it. Michael, I won´t comment on the pest aspect. Please make sure that you really understand what you are doing and that you did check all resources to find the problem yourself. I am definitely missing the logfile entries for the apache startup and for your connection attempts. Maybe they already include the hint you are looking for. For another approach is to take the openssl CA.pl tool for generating the certs, it will hide some part of the process for you. Please consider reading http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html as description of this way (which is just hiding the full process by wrapping it with a, hmm, comfortable script). Regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: CA and certs
How about importing the ca.crt file into your browser? Browsers authenticate server.crts against known CA companies. Maybe? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of hUnTeR Sent: Saturday, November 06, 1999 8:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: CA and certs [EMAIL PROTECTED] wrote: > > your CA information has to be different from the information listed in > the key you wish to sign. Try that and it should work. > > -- > Colin Faber > Perl programer, Systems administration > fpsn.net, Inc. > [EMAIL PROTECTED] > > www.fpsn.net Colin - Here is the procedure i followed: 1) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out ca.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .+ .+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 2) /usr/share/ssl/mod_ssl/ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:UFN CA Email Address []:[EMAIL PROTECTED] 3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...+ ..+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out server.csr Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Web Development Unit Common Name (eg, YOUR name) []:www.userfriendly.net Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Ohio' localityName :PRINTABLE:'Lakewood' organizationName :PRINTABLE:'The UserFriendly Network' organizationalUnitName:PRINTABLE:'Web Development Unit' commonName:PRINTABLE:'www.userfriendly.net' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK 6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out server.key read RSA private key Enter PEM pass phrase: writing RSA private key 7) Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:35pm /usr/share/ssl/mod_ssl/ chmod 400 server.key Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:43pm /usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.crt'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:54pm /usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.key'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:59pm /usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart I restarted the webserver and STILL get the annoying message about the signature: "The server's certificate has an invalid signature. You will not be able to connect to this site securely." Now, i t
Re: ca and certs
Lutz Jaenicke wrote: > > Michael, I won´t comment on the pest aspect. > Please make sure that you really understand what you are doing and that > you did check all resources to find the problem yourself. > I am definitely missing the logfile entries for the apache startup and > for your connection attempts. Maybe they already include the hint you are > looking for. > For another approach is to take the openssl CA.pl tool for generating > the certs, it will hide some part of the process for you. > Please consider reading > http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html > as description of this way (which is just hiding the full process by > wrapping it with a, hmm, comfortable script). > > Regards, > Lutz Well i did do a ton of reading, and yes even tried the CA.pl(sh) script. What it turned out to be, just for anyone else that is curious, is that the Location (city) needed to be different between the CA and the server cert itself. Once i made that one and only change, it all works well. Thank you all for your advice, time, and help. Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ca and certs
hUnTeR schrieb: > > Well i did do a ton of reading, and yes even tried the CA.pl(sh) script. > What it turned out to be, just for anyone else that is curious, is that > the Location (city) needed to be different between the CA and the server > cert itself. Once i made that one and only change, it all works well. I minor comment: the diffeent location's name is not the problem. It probably should read "The distinguished names (that is all the details you enter while generating the request) must be different for the CA and the server cerst. Usually this should already be fullfilled with the common name (CN) beeing different: the server cert should have the host name in it, the CA usually something different." -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
