guidance on SSL certs and Apache2
I'm trying to set up apache2 to use ssl. I see numerous bugs about
this, including the fact that the setup is neither automated nor documented
(267477 -- which includes some recipes and references to help) and
that a tool, ssl-cert, used at one point by apache2 for debconf, has
problems (230485). The changelog says that ssl-cert was dropped for
There seem to be at least 3 ways to setup certificates:
There is a configuration file /etc/ssl/openssl.cnf, and there seems to
be space for certificates and keys under /etc/ssl/ and
Can anyone suggest which of these knobs I should tweak to set things
up? And where should I put the resulting files? I use KDE, and I see
it has Kleopatra for certificate management. Is that useable?
I want to be my own CA as well as having the certificates (one for
each virtual domain).
Documentation seems sparse. man apache2-ssl-cert gets me the openssl
man page; apache2-ssl-cert --help just runs the program. ssl-cert's
manpage is under make-ssl-cert (I think), and is unilluminating.
When I originally installed apache2 the setup script ran and ended up
producing the same error as reported in 230485 (I think the script
> writing new private key to '/etc/apache2/ssl/apache.pem'
> problems making Certificate Request
> 20712:error:0D07A098:asn1 encoding routines:ASN1_mbstring_copy:string too short:a_mbstr.c:147:minsize=1
> dpkg: error processing apache2-common (--configure):
> subprocess post-installation script returned error exit status 1
When I added
to my Apache configuration (for a virtual server) I got further than
without it, but had the error
> [Sun Sep 18 18:50:57 2005] [error] Init: Unable to read server certificate from file /etc/apache2/ssl/apache.pem
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Sun Sep 18 18:50:57 2005] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
My theory is that the original setup used values from openssl.cnf. I
hadn't touched them, so some were empty, producing the "string too
short." The resulting certificate is no good, leading to the 2nd set