Re: [users@httpd] cannot install a SSL certificate : any idea folks ? Thanks

[Mark Watts]

On Sun, 2009-11-15 at 23:05 -0800, sieger...@gmail.com wrote:
> Hello Friends
> 
> 
> I'm trying to figure out why I cannot install a SSL certificate that
> I'd been given. Using openssl, I looked at the key file that was
> generated by openssl, and the corresponding certificate file that was
> returned by the CA.

I assume you did the following:

1) Generate a key:

        $ openssl genrsa -out www.example.com-key 2048
        Generating RSA private key, 2048 bit long modulus
        ..............................................+++
        ....+++
        e is 65537 (0x10001)

2) Generate a Certificate Sigining Request (CSR):

        $ openssl req -new -key www.example.com-key -out
        www.example.com-csr
        You are about to be asked to enter information that will be
        incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished
        Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter '.', the field will be left blank.
        -----
        Country Name (2 letter code) [GB]:
        State or Province Name (full name) [Berkshire]:Greater London
        Locality Name (eg, city) [Newbury]:London
        Organization Name (eg, company) [My Company Ltd]:Acme Websites
        Ltd.
        Organizational Unit Name (eg, section) []: <Leave blank>
        Common Name (eg, your name or your server's hostname)
        []:www.example.com
        Email Address []: <Leave blank>
        
        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []: <Leave blank>
        An optional company name []: <Leave blank>

3) Buy a certificate:

        Go to www.verisign.com (or wherever) and buy a certificate.
        Upload the CSR file you generated when they ask for it.
        Download the Certificate when they let you.
        
4) Setup an SSL Vhost:
        
        <VirtualHost 0.0.0.0:443>
         ServerName     "www.example.com"
         SSLEngine      on
         SSLCertificateFile     "/etc/httpd/conf/ssl/www.example.com-cert"
         SSLCertificateKeyFile  "/etc/httpd/conf/ssl/www.example.com-key"
         ...
        </VirtualHost>

If you are running SELinux, ensure the context is correct.
Ensure both files are mode 400 and owned by root.

This should be all you need to do, aside from any other mod_ssl
configuration you need.

Mark.

-- 
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg

signature.asc
Description: This is a digitally signed message part