Re: Apache-SSL 'n Cert Fun
Hi,
i dont now why you created a ca.crt, when you use
self signed certificate later.
A self signed certificate can be generated with one command:
openssl req -new -x509 -newkey rsa:1024 -days 365 -keyout key.pem -out
cert.pem
Also you must set the extrension CA:True in the
CA Certificate.
-extensions v3_ca (when you use the default openssl.cfg)
It's best when you configure your CAs in openssl.cfg.
Then you can use the "opennssl ca" command to sign
Certificates.
I allways use more than one CA certificate.
root CA
|-> Server CA
| \- CN = www.blablub.de
\-> User CA
\- CN = Hans Mueller
You should use the FQDN in the CN field of Server
Certificates.
Markus
On Sat, Mar 01, 2003 at 09:14:52PM -0500, Teddy Knab wrote:
> I have been signing my own certs.
>
> Is that what you are typing about ?
>
> Here is a short clip of what I did:
>
> self signed cert
> 505 openssl genrsa -des3 -out ca.key 2048
> 510 openssl req -new -x509 -days 3652 -key ca.key -out ca.crt
>
> 2nd try docs from http://www.apache-ssl.org/#FAQ
> 545 openssl req -new > new.cert.csr
> 547 openssl rsa -in privkey.pem -out new.cert.key
> 548 openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
> new.cert.key -days 365
> cat new.cert.key > apache.pem
> cat new.cert.cert >> apache.pem
> mv apache.pem to /etc/apache-ssl/apache.pem
> cp new.cert.key /etc/apache-ssl/apache.key
>
> Do you trust me ?
> My cert.
> https://webmail.washcoll.edu
>
>
> Ted
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
_ ___
#_~`--'__ `===-, Markus Benning <me@w3r3wolf.de>
`.`. `#.,// http://www.w3r3wolf.de
,_\_\ ## #\
`__.__ `####\ Open Source is a philosophy
~~\ ,###'~ not a price tag !
\##'
Reply to: