Thank you friends. This SSL stuff drives me nuts . Just to clarify, I had sent a certificate request with xyz.abc.com <http://cmsevalspry.house.gov/>as the common name. I got back a certificate with *. abc.com as the common name from the CA. Can I still use the same key or is it a mismatch?
On Mon, Nov 16, 2009 at 6:17 AM, Mark Watts <m.wa...@eris.qinetiq.com>wrote: > On Sun, 2009-11-15 at 23:05 -0800, sieger...@gmail.com wrote: > > Hello Friends > > > > > > I'm trying to figure out why I cannot install a SSL certificate that > > I'd been given. Using openssl, I looked at the key file that was > > generated by openssl, and the corresponding certificate file that was > > returned by the CA. > > I assume you did the following: > > 1) Generate a key: > > $ openssl genrsa -out www.example.com-key 2048 > Generating RSA private key, 2048 bit long modulus > ..............................................+++ > ....+++ > e is 65537 (0x10001) > > 2) Generate a Certificate Sigining Request (CSR): > > $ openssl req -new -key www.example.com-key -out > www.example.com-csr > You are about to be asked to enter information that will be > incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished > Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [GB]: > State or Province Name (full name) [Berkshire]:Greater London > Locality Name (eg, city) [Newbury]:London > Organization Name (eg, company) [My Company Ltd]:Acme Websites > Ltd. > Organizational Unit Name (eg, section) []: <Leave blank> > Common Name (eg, your name or your server's hostname) > []:www.example.com > Email Address []: <Leave blank> > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: <Leave blank> > An optional company name []: <Leave blank> > > 3) Buy a certificate: > > Go to www.verisign.com (or wherever) and buy a certificate. > Upload the CSR file you generated when they ask for it. > Download the Certificate when they let you. > > 4) Setup an SSL Vhost: > > <VirtualHost 0.0.0.0:443> > ServerName "www.example.com" > SSLEngine on > SSLCertificateFile "/etc/httpd/conf/ssl/www.example.com-cert" > SSLCertificateKeyFile "/etc/httpd/conf/ssl/www.example.com-key" > ... > </VirtualHost> > > If you are running SELinux, ensure the context is correct. > Ensure both files are mode 400 and owned by root. > > This should be all you need to do, aside from any other mod_ssl > configuration you need. > > Mark. > > -- > Mark Watts BSc RHCE MBCS > Senior Systems Engineer, Managed Services Manpower > www.QinetiQ.com > QinetiQ - Delivering customer-focused solutions > GPG Key: http://www.linux-corner.info/mwatts.gpg >
