Penguin
Recent Changes

Differences between version 17 and predecessor to the previous major change of SSLNotes.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 17 Last edited on Friday, June 20, 2003 8:43:05 pm by JohnMcPherson Revert
Older page: version 1 Last edited on Wednesday, September 11, 2002 5:18:05 pm by DanielLawson Revert
@@ -2,14 +2,14 @@
 include HTTPS, POPS, LDAPS, and so on. If you are doign any network-based authentication, you should be doing it over SSL. Ideally, you want 
 all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :) 
  
 ---- 
-  
-AddToMe: Better description of how SSL works.  
  
 Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is 
 signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client, 
 and the client then encrypts everything using this public key. The server then decrypts it using the private key. 
+  
+Someone can add a better description if they want.  
  
 ---- 
 Tricky points to note: 
  
@@ -19,8 +19,9 @@
 or by finding someone else who has a CA and asking them to trust you. 
  
 Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :) 
  
+Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching.  
  
 ---- 
  
 Setting up a CA (Certificate Authority) isn't too hard: 
@@ -32,8 +33,14 @@
  
 And answer the questions asked - sensibly 
  
 NOTE: Make sure you keep your CA's private key *private*. :) 
+  
+Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :)  
+  
+----  
+  
+If all you want to do is create a self-signed certificate for apache, use ssl-certificate.  
  
 ---- 
  
 Setting up a key for apache and signing it against your CA generated above is also easy: 
@@ -42,15 +49,43 @@
  
  openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem 
  
 And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem) 
+Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for.  
  
 To sign: 
  
- openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 
+ openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \  
+ -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 
  
 This signs it against the cacert and key. It also specificies that it will expire in 365 days time. 
  
 And finally: 
  
  cp apache-cert.pem /etc/apache-ssl/apache.pem 
  cp apache-key.pem /etc/apache-ssl/apache-key.pem 
+----  
+To make a CA key available to Web brower users, add:  
+ !AddType application/x-x509-ca-cert pem  
+ !AddType application/x-x509-ca-cert der  
+to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command:  
+ openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der  
+Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). It will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done!  
+  
+The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer.  
+  
+As of mozilla 1.x, mozilla appears to support [DER] files, so perhaps skip putting a [PEM] file there, and just use the [DER] file which will work with IE and Mozilla. [PEM] is the nicer file format, so in general try and use [PEM].  
+----  
+  
+Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ]  
+  
+The [OpenSSL Cookbook|http://www.pseudonym.org/ssl/ssl_cook.html] was also pretty useful  
+  
+Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example)  
+  
+If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject  
+  
+----  
+another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html  
+  
+----  
+Part of CategorySecurity