Differences between version 17 and revision by previous author of SSLNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 17 | Last edited on Friday, June 20, 2003 8:43:05 pm | by JohnMcPherson | Revert |
| Older page: | version 10 | Last edited on Sunday, November 17, 2002 10:51:25 pm | by CraigBox | Revert |
@@ -53,18 +53,28 @@
Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for.
To sign:
- openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem
+ openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \
-CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365
This signs it against the cacert and key. It also specificies that it will expire in 365 days time.
And finally:
cp apache-cert.pem /etc/apache-ssl/apache.pem
cp apache-key.pem /etc/apache-ssl/apache-key.pem
+----
+To make a CA key available to Web brower users, add:
+ !AddType application/x-x509-ca-cert pem
+ !AddType application/x-x509-ca-cert der
+to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command:
+ openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der
+Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). It will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done!
+
+The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer.
+As of mozilla 1.x, mozilla appears to support [DER] files, so perhaps skip putting a [PEM] file there, and just use the [DER] file which will work with IE and Mozilla. [PEM] is the nicer file format, so in general try and use [PEM].
----
Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ]
@@ -72,4 +82,10 @@
Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example)
If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject
+
+----
+another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html
+
+----
+Part of CategorySecurity
