Re: CA Key and Self-Signed Server Certificate Generation - Was
Hello Mr. Ringaby, Thanks for the reply. My guess is that the script code somehow got messed up when you copied it from the site, or maybe the script for some reason contains hidden characters. I think you are right Sir because I copied the script from the site on a windows machine and placed it on my test linux box. But if the CA.pl script works fine, then use CA.pl instead. Definitely, I will use the CA.pl script from here on as suggested by Dr. Henson. Thank you very much again for the help. Best regards Anders Sincerely, Servie __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Dr. Henson, Thank you for the reply Sir. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, Jan 10, 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. Could you please advise where I could locate the CA.pl script and the appropriate documentation? Thank you very much Sir. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Mr. Anders, Thank you very much on your reply. --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello again, Servie. Since sign.sh is a script, have you checked that the interpreter at line number 1 (should be #!/bin/sh in this case) is correct? Maybe the path is different in your system, or another interpreter is required like ksh or bash (that would be #!/bin/ksh or #!/bin/bash on line number 1 in the script). Otherwise you can also run the script by typing: sh sign.sh server.csr ( or ksh sign.sh server.csr or bash sign.sh server.csr ) I will try out all your suggestions as indicated above. Good luck, Anders Again, thank you very much. Sincerely, Servie On Mon, 10 Jan 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Mr. Ringaby, --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello again, Servie. Since sign.sh is a script, have you checked that the interpreter at line number 1 (should be #!/bin/sh in this case) is correct? Maybe the path is different in your system, or another interpreter is required like ksh or bash (that would be #!/bin/ksh or #!/bin/bash on line number 1 in the script). Otherwise you can also run the script by typing: sh sign.sh server.csr ( or ksh sign.sh server.csr or bash sign.sh server.csr ) At the prompt, I did the following command: # sh sign.sh server.csr : command not foundline: 6: 'usr/sbin/sign.sh: sign.sh: line 15: syntax error near unexpected token `in 'usr/sbin/sign.sh: sign.sh: line 15: `case $CSR in Now, what I don't understand is that I used the syntax as posted on the site. What even puzzles me more is that it should work but it seems that there seems to be something wrong in the code or do I need to specify the path on my env variables? Any thoughts on this would definitely be greatly appreciated. Thanks in advance. Sincerely, Servie Good luck, Anders On Mon, 10 Jan 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
Hello Dr. Henson, And thank you again for this advice. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? 4. And finally, since I am basically new in the field of openssl and have only come across this kind of open source toolkit from school. May I ask some of you the benefits of openssl in general if properly implemented alongside apache intended for a secured web site? All I know is that OpenSSL is a robust, commercial-grade, full-featured Open Source method of implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general-purpose cryptography library as what we have been taught from school. Any links, reading materials and the like for newbies would be great. Thank you very much Dr. Henson and special thanks/mention to the kind replies of Mr. Ringaby and Mr. Sylvester. More power to this group! Sincerely, Servie Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CA Key and Self-Signed Server Certificate Generation
Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Error 127 - gcc: Command not found
Hello Anders, Thanks for the help and info. You have helped me solve my problem. --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello Servie. Have you checked that the directory, where gcc is located, is in your PATH environment variable? You can check by doing either of this: echo $PATH or: type gcc Apparently, when I made a minimal install of my FC3 test machine since it didn't have all the necessary packages for openssl it failed to install the tar ball. However though, I manually installed and did the command rpm -Uvh *.rpm for all packages needed such as gcc, cpp, cproto, etc but it did not give me any signs that it was not installed. So thanks to your help to check if gcc is in the path for my environment variable. I did solve this by manually installing the gcc rpm among others and from here on it went on smoothly. In order to add the directory where gcc is located, before running make, do this: PATH=$PATH:directory_where_gcc_is_located export PATH Then run make again. / Anders I am just puzzled if doing rpm -Uvh *.rpm is not allowed at all by FC3? AFAIK, with Red Hat distros 7.3, 8.0 or 9.0 I could install all the rpm all together. Not very sure, if this is a new security feature by FC3? Again, thank you very much for the help. Sincerely, Servie __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error 127 - gcc: Command not found
Hi Mr. Ringaby, Thank you for the reply. --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello Servie. Have you checked that the directory, where gcc is located, is in your PATH environment variable? You can check by doing either of this: echo $PATH or: type gcc In order to add the directory where gcc is located, before running make, do this: PATH=$PATH:directory_where_gcc_is_located export PATH Then run make again. / Anders I will try out what you have suggested and let you guys know it has resolved the issue. Again, thank you very much for the help. Sincerely, Servie __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error 127 - gcc: Command not found
Hi openssl gurus and experts, I am new to this list and openssl in general and I apologize for asking a simple question. I was trying to compile openssl from source - openssl-0.0.7e.tar.gz which I have downloaded from the openssl site. Things were going on smoothly after I issued the command # make I got an error message: make[1]: gcc: Command not found make[1]: *** [cryptlib.o] Error 127 make[1]: Leaving directory '/var/tmp/openssl-0.9.7e/crypto' make: ***[sub_all] Error 1 What does this error mean? I made sure that the gcc rpm or package is installed on my system but still I am getting this error message. I even tried looking at the error 127 at the list archive but could not find the answer yet. Any help on this matter would be highly appreciated. Thanks in advance. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]