Differences between version 17 and predecessor to the previous major change of SSLNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 17 | Last edited on Friday, June 20, 2003 8:43:05 pm | by JohnMcPherson | Revert |
Older page: | version 1 | Last edited on Wednesday, September 11, 2002 5:18:05 pm | by DanielLawson | Revert |
@@ -2,14 +2,14 @@
include HTTPS, POPS, LDAPS, and so on. If you are doign any network-based authentication, you should be doing it over SSL. Ideally, you want
all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :)
----
-
-AddToMe: Better description of how SSL works.
Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is
signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client,
and the client then encrypts everything using this public key. The server then decrypts it using the private key.
+
+Someone can add a better description if they want.
----
Tricky points to note:
@@ -19,8 +19,9 @@
or by finding someone else who has a CA and asking them to trust you.
Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :)
+Note that the above workaround only works under mozilla, it seems. IE complains about the cert not matching.
----
Setting up a CA (Certificate Authority) isn't too hard:
@@ -32,8 +33,14 @@
And answer the questions asked - sensibly
NOTE: Make sure you keep your CA's private key *private*. :)
+
+Also: Unless you tell it otherwise, it creates the key as valid for for one month. use -days n to make it valid for n days. -days 7000 is a good start.... :)
+
+----
+
+If all you want to do is create a self-signed certificate for apache, use ssl-certificate.
----
Setting up a key for apache and signing it against your CA generated above is also easy:
@@ -42,15 +49,43 @@
openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem
And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem)
+Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for.
To sign:
- openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365
+ openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \
+
-CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365
This signs it against the cacert and key. It also specificies that it will expire in 365 days time.
And finally:
cp apache-cert.pem /etc/apache-ssl/apache.pem
cp apache-key.pem /etc/apache-ssl/apache-key.pem
+----
+To make a CA key available to Web brower users, add:
+ !AddType application/x-x509-ca-cert pem
+ !AddType application/x-x509-ca-cert der
+to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command:
+ openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der
+Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). It will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done!
+
+The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer.
+
+As of mozilla 1.x, mozilla appears to support [DER] files, so perhaps skip putting a [PEM] file there, and just use the [DER] file which will work with IE and Mozilla. [PEM] is the nicer file format, so in general try and use [PEM].
+----
+
+Most of the above was pulled from the [Apache-SSL FAQ|http://www.apache-ssl.org/#FAQ]
+
+The [OpenSSL Cookbook|http://www.pseudonym.org/ssl/ssl_cook.html] was also pretty useful
+
+Note that neither of the above were, I thought, complete answers. After messing round with content from both I came upon a working solution. The Apache-ssl FAQ was good, but had a tyop (-sugnkey points at the wrong key to sign in their example)
+
+If you are running RedHat, check out [RedHats HOWTO|http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-3.html] on the subject
+
+----
+another good site, http://certificate.nikhef.nl/info/CA_gymnastics.html
+
+----
+Part of CategorySecurity