Re: CA Key and Self-Signed Server Certificate Generation - Follow-up

[Dr. Stephen Henson]

On Tue, Jan 11, 2005, Servie Platon wrote:

 Hello Dr. Henson,
 
 And thank you again for this advice.
 
 --- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
 
  I suggest you ignore that script: and use the CA.pl
  script and the appropriate
  documentation instead.
 
 As suggested by you, I used the CA.pl script which
 works okay. On this issue, I would like to ask some
 follow-up questions:
 
 1. Do I have to move server.key and ca.key to
 /etc/ssl/private and ca.crt /etc/ssl/certs directory
 respectively?
 

If you used CA.pl correctly there wont be a 'server.key' file initially. The
private key wil be in newreq.pem. 

You dont' need to move ca.key at all.

What you need to do is move newreq.pem to wherever the server private key
needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the
new certificates) and copy the CA certificate which is in demoCA/cacert.pem.

 2. Since the command sign.sh server.csr does not work
 because the sign.sh script is kind of obsoleted
 already, do I have to move newreq.pem to the directory
 /etc/ssl/certs if in case I issued the command
 /etc/ssl/misc/CA.pl -newcert to create a new
 certificate? And would it be okay if I remove
 server.csr from the /etc/ssl directory?
 
 3. I would like to secure my keys and certificate by
 doing a chmod on the following:
 
 # chmod 750 /etc/ssl/private/
 # chmod 400 /etc/ssl/certs/ca.crt
 # chmod 400 /etc/ssl/certs/newreq.pem
 # chmod 400 /etc/ssl/private/ca.key
 # chmod 400 /etc/ssl/private/server.key
 
 Would this be suffice enough as a security measure to
 protect the integrity of the certificate itself?
 

Yes the 400 permissions is OK, though you only really need it on the private
key.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: CA Key and Self-Signed Server Certificate Generation - Follow-up

[Servie Platon]

Hello Dr. Henson,

And thank you again for this advice.

--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:

 I suggest you ignore that script: and use the CA.pl
 script and the appropriate
 documentation instead.

As suggested by you, I used the CA.pl script which
works okay. On this issue, I would like to ask some
follow-up questions:

1. Do I have to move server.key and ca.key to
/etc/ssl/private and ca.crt /etc/ssl/certs directory
respectively?

2. Since the command sign.sh server.csr does not work
because the sign.sh script is kind of obsoleted
already, do I have to move newreq.pem to the directory
/etc/ssl/certs if in case I issued the command
/etc/ssl/misc/CA.pl -newcert to create a new
certificate? And would it be okay if I remove
server.csr from the /etc/ssl directory?

3. I would like to secure my keys and certificate by
doing a chmod on the following:

# chmod 750 /etc/ssl/private/
# chmod 400 /etc/ssl/certs/ca.crt
# chmod 400 /etc/ssl/certs/newreq.pem
# chmod 400 /etc/ssl/private/ca.key
# chmod 400 /etc/ssl/private/server.key

Would this be suffice enough as a security measure to
protect the integrity of the certificate itself?

4. And finally, since I am basically new in the field
of openssl and have only come across this kind of open
source toolkit from school. May I ask some of you the
benefits of openssl in general if properly implemented
alongside apache intended for a secured web site?

All I know is that OpenSSL is a robust,
commercial-grade, full-featured Open Source method of
implementing the Secure Socket Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as
general-purpose cryptography library as what we have
been taught from school.

Any links, reading materials and the like for newbies
would be great. 

Thank you very much Dr. Henson and special
thanks/mention to the kind replies of Mr. Ringaby and
Mr. Sylvester.

More power to this group!

Sincerely,
Servie

 
 Steve.
 --
 Dr Stephen N. Henson. Email, S/MIME and PGP keys:
 see homepage
 OpenSSL project core developer and freelance
 consultant.
 Funding needed! Details on homepage.
 Homepage: http://www.drh-consultancy.demon.co.uk

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 openssl-users@openssl.org
 Automated List Manager  
 [EMAIL PROTECTED]
 






__ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]