Differences between version 10 and revision by previous author of SSLNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 10 | Last edited on Sunday, November 17, 2002 10:51:25 pm | by CraigBox | Revert |
| Older page: | version 1 | Last edited on Wednesday, September 11, 2002 5:18:05 pm | by DanielLawson | Revert |
@@ -2,14 +2,14 @@
include HTTPS, POPS, LDAPS, and so on. If you are doign any network-based authentication, you should be doing it over SSL. Ideally, you want
all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :)
----
-
-AddToMe: Better description of how SSL works.
Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is
signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client,
and the client then encrypts everything using this public key. The server then decrypts it using the private key.
+
+Someone can add a better description if they want.
----
Tricky points to note:
@@ -19,8 +19,9 @@
or by finding someone else who has a CA and asking them to trust you.
Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :)
+Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching.
----
Setting up a CA (Certificate Authority) isn't too hard:
@@ -32,8 +33,14 @@
And answer the questions asked - sensibly
NOTE: Make sure you keep your CA's private key *private*. :)
+
+Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :)
+
+----
+
+If all you want to do is create a self-signed certificate for apache, use ssl-certificate.
----
Setting up a key for apache and signing it against your CA generated above is also easy:
@@ -42,15 +49,27 @@
openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem
And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem)
+Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for.
To sign:
- openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365
+ openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem
+
-CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365
This signs it against the cacert and key. It also specificies that it will expire in 365 days time.
And finally:
cp apache-cert.pem /etc/apache-ssl/apache.pem
cp apache-key.pem /etc/apache-ssl/apache-key.pem
+
+----
+
+Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ]
+
+The [OpenSSL Cookbook|http://www.pseudonym.org/ssl/ssl_cook.html] was also pretty useful
+
+Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example)
+
+If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject
