Re: [squid-users] wild card ssl certificate
Mario Remy Almeida wrote: Hi Amos, Everything is correct except the spelling of newrprgate Doh!. in openssl.cnf it is correct mkdir create directory as newprpgate then cd to directory newrprgate which does not exists. so newprpgate should be newrprgate for mkdir command //Remy On Mon, 2009-07-06 at 17:37 +1200, Amos Jeffries wrote: Mario Remy Almeida wrote: Hi Amos, Tired with the changed worked very well no issues One small change in the wiki in openssl.cnf it is mentioned as dir = /usr/newrprgate/CertAuth but mkdir newprpgate; cd newrprgate should be mkdir newrprgate if possible please correct in the wiki //Remy Do you mean: dir = /usr/newrprgate/CertAuth becomes dir = /usr/CertAuth and === Setup a certificate Signing Authority (if needed) === cd /usr mkdir newprpgate; cd newrprgate mkdir CertAuth; cd CertAuth mkdir certs; mkdir private chmod 700 private echo '01' > serial touch index.txt becomes: === Setup a certificate Signing Authority (if needed) === cd /usr mkdir newprpgate; mkdir CertAuth; cd CertAuth mkdir certs; mkdir private chmod 700 private echo '01' > serial touch index.txt ?? IIRC the only funky thing I found when following those myself a long while ago was a missing "cd .." somewhere. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
Re: [squid-users] wild card ssl certificate
Hi Amos, Everything is correct except the spelling of newrprgate in openssl.cnf it is correct mkdir create directory as newprpgate then cd to directory newrprgate which does not exists. so newprpgate should be newrprgate for mkdir command //Remy On Mon, 2009-07-06 at 17:37 +1200, Amos Jeffries wrote: > Mario Remy Almeida wrote: > > Hi Amos, > > > > Tired with the changed worked very well no issues > > > > One small change in the wiki > > > > in openssl.cnf > > it is mentioned as > > > > dir = /usr/newrprgate/CertAuth > > > > but > > > > mkdir newprpgate; cd newrprgate > > > > should be mkdir newrprgate > > > > if possible please correct in the wiki > > > > //Remy > > > > > Do you mean: > > dir = /usr/newrprgate/CertAuth > becomes > dir = /usr/CertAuth > > and > > === Setup a certificate Signing Authority (if needed) === > cd /usr > mkdir newprpgate; cd newrprgate > mkdir CertAuth; cd CertAuth > mkdir certs; mkdir private > chmod 700 private > echo '01' > serial > touch index.txt > > becomes: > > > === Setup a certificate Signing Authority (if needed) === > cd /usr > mkdir newprpgate; > mkdir CertAuth; cd CertAuth > mkdir certs; mkdir private > chmod 700 private > echo '01' > serial > touch index.txt > > ?? > > IIRC the only funky thing I found when following those myself a long > while ago was a missing "cd .." somewhere. > > Amos -- -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.
Re: [squid-users] wild card ssl certificate
Mario Remy Almeida wrote: Hi Amos, Tired with the changed worked very well no issues One small change in the wiki in openssl.cnf it is mentioned as dir = /usr/newrprgate/CertAuth but mkdir newprpgate; cd newrprgate should be mkdir newrprgate if possible please correct in the wiki //Remy Do you mean: dir = /usr/newrprgate/CertAuth becomes dir = /usr/CertAuth and === Setup a certificate Signing Authority (if needed) === cd /usr mkdir newprpgate; cd newrprgate mkdir CertAuth; cd CertAuth mkdir certs; mkdir private chmod 700 private echo '01' > serial touch index.txt becomes: === Setup a certificate Signing Authority (if needed) === cd /usr mkdir newprpgate; mkdir CertAuth; cd CertAuth mkdir certs; mkdir private chmod 700 private echo '01' > serial touch index.txt ?? IIRC the only funky thing I found when following those myself a long while ago was a missing "cd .." somewhere. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
Re: [squid-users] wild card ssl certificate
Hi Amos, Tired with the changed worked very well no issues One small change in the wiki in openssl.cnf it is mentioned as dir = /usr/newrprgate/CertAuth but mkdir newprpgate; cd newrprgate should be mkdir newrprgate if possible please correct in the wiki //Remy On Mon, 2009-07-06 at 10:45 +1200, Amos Jeffries wrote: > Mario Remy Almeida wrote: > > Hi All > > > > I followed the steps mentioned in the below url > > http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate > > > > when below cmd executed > > > > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1000 > > > > I get below message which means some options missing. > > > > can someone tell me what am i missing? > > > > is it rsa:1024 instead rsa? > > Yes it needs the bit-length. Though for the CA cert its advised to use > stronger/longer bit length than normal. 2048 bits is mentioned in the > wiki for now. > > Thanks for reporting that. Wiki updated. > > Amos > > > > > > > req [options] outfile > > where options are > > -inform arginput format - DER or PEM > > -outform arg output format - DER or PEM > > -in arginput file > > -out arg output file > > -text text form of request > > -pubkeyoutput public key > > -noout do not output REQ > > -verifyverify signature on REQ > > -modulus RSA modulus > > -nodes don't encrypt the output key > > -engine e use engine e, possibly a hardware device > > -subject output the request's subject > > -passinprivate key password source > > -key file use the private key contained in file > > -keyform arg key file format > > -keyout argfile to send the key to > > -rand file:file:... > > load the file (or the files in the directory) into > > the random number generator > > -newkey rsa:bits generate a new RSA key of 'bits' in size > > -newkey dsa:file generate a new DSA key, parameters taken from CA in > > 'file' > > -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) > > -config file request template file. > > -subj arg set or modify request subject > > -multivalue-rdn enable support for multivalued RDNs > > -new new request. > > -batch do not ask anything during request generation > > -x509 output a x509 structure instead of a cert. req. > > -days number of days a certificate generated by -x509 is valid > > for. > > -set_serialserial number to use for a certificate generated by > > -x509. > > -newhdroutput "NEW" in the header lines > > -asn1-kludge Output the 'request' in a format that is wrong but some > > CA's > > have been reported as requiring > > -extensions .. specify certificate extension section (override value in > > config file) > > -reqexts ..specify request extension section (override value in > > config file) > > -utf8 input characters are UTF8 (default ASCII) > > -nameopt arg- various certificate name options > > -reqopt arg- various request text options > > > > > > //Remy > > > > > > -- > > Disclaimer and Confidentiality > > > > > > This material has been checked for computer viruses and although none has > > been found, we cannot guarantee that it is completely free from such > > problems > > and do not accept any liability for loss or damage which may be caused. > > Please therefore check any attachments for viruses before using them on > > your > > own equipment. If you do find a computer virus please inform us immediately > > so that we may take appropriate action. This communication is intended > > solely > > for the addressee and is confidential. If you are not the intended > > recipient, > > any disclosure, copying, distribution or any action taken or omitted to be > > taken in reliance on it, is prohibited and may be unlawful. The views > > expressed in this message are those of the individual sender, and may not > > necessarily be that of ISA. > > -- -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are tho
Re: [squid-users] wild card ssl certificate
Mario Remy Almeida wrote: Hi All I followed the steps mentioned in the below url http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate when below cmd executed openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1000 I get below message which means some options missing. can someone tell me what am i missing? is it rsa:1024 instead rsa? Yes it needs the bit-length. Though for the CA cert its advised to use stronger/longer bit length than normal. 2048 bits is mentioned in the wiki for now. Thanks for reporting that. Wiki updated. Amos req [options] outfile where options are -inform arginput format - DER or PEM -outform arg output format - DER or PEM -in arginput file -out arg output file -text text form of request -pubkeyoutput public key -noout do not output REQ -verifyverify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -engine e use engine e, possibly a hardware device -subject output the request's subject -passinprivate key password source -key file use the private key contained in file -keyform arg key file format -keyout argfile to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) -config file request template file. -subj arg set or modify request subject -multivalue-rdn enable support for multivalued RDNs -new new request. -batch do not ask anything during request generation -x509 output a x509 structure instead of a cert. req. -days number of days a certificate generated by -x509 is valid for. -set_serialserial number to use for a certificate generated by -x509. -newhdroutput "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts ..specify request extension section (override value in config file) -utf8 input characters are UTF8 (default ASCII) -nameopt arg- various certificate name options -reqopt arg- various request text options //Remy -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA. -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
[squid-users] wild card ssl certificate
Hi All I followed the steps mentioned in the below url http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate when below cmd executed openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1000 I get below message which means some options missing. can someone tell me what am i missing? is it rsa:1024 instead rsa? req [options] outfile where options are -inform arginput format - DER or PEM -outform arg output format - DER or PEM -in arginput file -out arg output file -text text form of request -pubkeyoutput public key -noout do not output REQ -verifyverify signature on REQ -modulus RSA modulus -nodes don't encrypt the output key -engine e use engine e, possibly a hardware device -subject output the request's subject -passinprivate key password source -key file use the private key contained in file -keyform arg key file format -keyout argfile to send the key to -rand file:file:... load the file (or the files in the directory) into the random number generator -newkey rsa:bits generate a new RSA key of 'bits' in size -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file' -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4) -config file request template file. -subj arg set or modify request subject -multivalue-rdn enable support for multivalued RDNs -new new request. -batch do not ask anything during request generation -x509 output a x509 structure instead of a cert. req. -days number of days a certificate generated by -x509 is valid for. -set_serialserial number to use for a certificate generated by -x509. -newhdroutput "NEW" in the header lines -asn1-kludge Output the 'request' in a format that is wrong but some CA's have been reported as requiring -extensions .. specify certificate extension section (override value in config file) -reqexts ..specify request extension section (override value in config file) -utf8 input characters are UTF8 (default ASCII) -nameopt arg- various certificate name options -reqopt arg- various request text options //Remy -- Disclaimer and Confidentiality This material has been checked for computer viruses and although none has been found, we cannot guarantee that it is completely free from such problems and do not accept any liability for loss or damage which may be caused. Please therefore check any attachments for viruses before using them on your own equipment. If you do find a computer virus please inform us immediately so that we may take appropriate action. This communication is intended solely for the addressee and is confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views expressed in this message are those of the individual sender, and may not necessarily be that of ISA.