Penguin
Recent Changes

Differences between version 25 and predecessor to the previous major change of SSLNotes.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 25 Last edited on Friday, November 17, 2006 5:15:55 pm by DanielLawson Revert
Older page: version 24 Last edited on Thursday, February 23, 2006 4:41:06 pm by MattBrown Revert
@@ -29,10 +29,12 @@
 Setting up a CA (Certificate Authority) isn't too hard: 
  
 On my Debian Woody (3.0) system: 
  
+<pre>  
  cd /etc/ssl 
  openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem 
+</pre>  
  
 And answer the questions asked - sensibly 
  
 NOTE: Make sure you keep your CA's private key *private*. :) 
@@ -48,34 +50,44 @@
 Setting up a key for apache and signing it against your CA generated above is also easy: 
  
 (again, Debian Woody system) 
  
+<pre>  
  openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem 
+</pre>  
  
 And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem) 
 Note that when it asks for your common name or CN, put the hostname or domain you are creating your ssl key for. 
  
 To sign: 
  
+<pre>  
  openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \ 
  -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 
+</pre>  
  
 This signs it against the cacert and key. It also specificies that it will expire in 365 days time. 
  
 And finally: 
  
+<pre>  
  cp apache-cert.pem /etc/apache-ssl/apache.pem 
  cp apache-key.pem /etc/apache-ssl/apache-key.pem 
+</pre>  
 ---- 
 If you have several websites under a single domain ie (site1.domain.com, site2.domain.com) you can create a single wildcard certificate that is valid for both of them. To do this simply make the CN of the certificate *.domain.com and then install the certificate as usal. 
  
 Remember you can't name virtual host SSL enabled sites. 
 ---- 
 To make a CA key available to Web browser users, add: 
+<pre>  
  !AddType application/x-x509-ca-cert pem 
  !AddType application/x-x509-ca-cert der 
+</pre>  
 to your httpd.conf or .htaccess file. This associates this [MIME] Type with *.pem and *.der files. copy your cacert.pem file onto the web server, and create a .der version for IE users with the command: 
+<pre>  
  openssl x509 -in cacert.pem -inform pem -out cacert.der -outform der 
+</pre>  
 Then goto the [URL] for cacert.pem (if you're running netscape) or cacert.der (if you're running IE). Mozilla will pop up a dialog box asking if you trust this certificate, to which you agree, and you're done! For Internet Explorer you'll get a non-intuitive "save or open" dialog. Click Open, then click "Install Certificate" and you're done! 
  
 The difference between [PEM] and [DER] files, is that [PEM] files are base 64 encoded versions of the [DER] files and have a header and a footer.