Re: CA Key and Self-Signed Server Certificate Generation
At the prompt, I did the following command: # sh sign.sh server.csr : command not foundline: 6: 'usr/sbin/sign.sh: sign.sh: line 15: syntax error near unexpected token `in 'usr/sbin/sign.sh: sign.sh: line 15: `case $CSR in Now, what I don't understand is that I used the syntax as posted on the site. What even puzzles me more is that it should work but it seems that there seems to be something wrong in the code or do I need to specify the path on my env variables? My guess is that the script code somehow got messed up when you copied it from the site, or maybe the script for some reason contains hidden characters. But if the CA.pl script works fine, then use CA.pl instead. Best regards Anders __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
On Tue, Jan 11, 2005, Servie Platon wrote: Hello Dr. Henson, And thank you again for this advice. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? If you used CA.pl correctly there wont be a 'server.key' file initially. The private key wil be in newreq.pem. You dont' need to move ca.key at all. What you need to do is move newreq.pem to wherever the server private key needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the new certificates) and copy the CA certificate which is in demoCA/cacert.pem. 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? Yes the 400 permissions is OK, though you only really need it on the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Was
Hello Mr. Ringaby, Thanks for the reply. My guess is that the script code somehow got messed up when you copied it from the site, or maybe the script for some reason contains hidden characters. I think you are right Sir because I copied the script from the site on a windows machine and placed it on my test linux box. But if the CA.pl script works fine, then use CA.pl instead. Definitely, I will use the CA.pl script from here on as suggested by Dr. Henson. Thank you very much again for the help. Best regards Anders Sincerely, Servie __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello again, Servie. Since sign.sh is a script, have you checked that the interpreter at line number 1 (should be #!/bin/sh in this case) is correct? Maybe the path is different in your system, or another interpreter is required like ksh or bash (that would be #!/bin/ksh or #!/bin/bash on line number 1 in the script). Otherwise you can also run the script by typing: sh sign.sh server.csr ( or ksh sign.sh server.csr or bash sign.sh server.csr ) Good luck, Anders On Mon, 10 Jan 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
On Mon, Jan 10, 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Dr. Henson, Thank you for the reply Sir. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, Jan 10, 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. Could you please advise where I could locate the CA.pl script and the appropriate documentation? Thank you very much Sir. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Mr. Anders, Thank you very much on your reply. --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello again, Servie. Since sign.sh is a script, have you checked that the interpreter at line number 1 (should be #!/bin/sh in this case) is correct? Maybe the path is different in your system, or another interpreter is required like ksh or bash (that would be #!/bin/ksh or #!/bin/bash on line number 1 in the script). Otherwise you can also run the script by typing: sh sign.sh server.csr ( or ksh sign.sh server.csr or bash sign.sh server.csr ) I will try out all your suggestions as indicated above. Good luck, Anders Again, thank you very much. Sincerely, Servie On Mon, 10 Jan 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
On Tue, Jan 11, 2005, Servie Platon wrote: Hello Dr. Henson, Thank you for the reply Sir. Could you please advise where I could locate the CA.pl script and the appropriate documentation? CA.pl should be installed when OpenSSL is. By default it will be in /usr/local/ssl/misc. There is a CA.pl manual page or you can read in online at: http://www.openssl.org/docs/apps/CA.pl.html It looks like the instructions you originally presented will end up creating an obsolete V1 certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation
Hello Mr. Ringaby, --- Ringaby Anders [EMAIL PROTECTED] wrote: Hello again, Servie. Since sign.sh is a script, have you checked that the interpreter at line number 1 (should be #!/bin/sh in this case) is correct? Maybe the path is different in your system, or another interpreter is required like ksh or bash (that would be #!/bin/ksh or #!/bin/bash on line number 1 in the script). Otherwise you can also run the script by typing: sh sign.sh server.csr ( or ksh sign.sh server.csr or bash sign.sh server.csr ) At the prompt, I did the following command: # sh sign.sh server.csr : command not foundline: 6: 'usr/sbin/sign.sh: sign.sh: line 15: syntax error near unexpected token `in 'usr/sbin/sign.sh: sign.sh: line 15: `case $CSR in Now, what I don't understand is that I used the syntax as posted on the site. What even puzzles me more is that it should work but it seems that there seems to be something wrong in the code or do I need to specify the path on my env variables? Any thoughts on this would definitely be greatly appreciated. Thanks in advance. Sincerely, Servie Good luck, Anders On Mon, 10 Jan 2005, Servie Platon wrote: Hello openssl gurus, I wanted to create my own private CA and use this to sign CSR's instead of requesting a commercial CA to sign my CSR. I have downloaded the latest tar.gz file and was able to compile openssl without a problem. To do the above, I made the following commands: # openssl genrsa -des3 -rand random1:random2:random3:random4:random5 -out ca.key 1024 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt # mv server.key private/ # mv ca.key private/ # mv ca.crt certs/ (up to here, no errors) # sign.sh server.csr : bad interpreter: No such file or directory Since it generated a bad intepreter error, I tried using: # /usr/sbin/sign.sh server.csr or # /usr/sbin/sign.sh /etc/ssl/server.csr but still generated the same problem. I followed the instructions on how to make sign.sh at http://www.faqs.org/docs/securing/chap24sec195.html I am just wondering what went wrong and how to solve this problem. Any thoughts and help on this would be highly appreciated. TIA. Sincerely, Servie __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
Hello Dr. Henson, And thank you again for this advice. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? 4. And finally, since I am basically new in the field of openssl and have only come across this kind of open source toolkit from school. May I ask some of you the benefits of openssl in general if properly implemented alongside apache intended for a secured web site? All I know is that OpenSSL is a robust, commercial-grade, full-featured Open Source method of implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general-purpose cryptography library as what we have been taught from school. Any links, reading materials and the like for newbies would be great. Thank you very much Dr. Henson and special thanks/mention to the kind replies of Mr. Ringaby and Mr. Sylvester. More power to this group! Sincerely, Servie Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]