httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward...@ita.org.mo
Subject Re: SSL with rpm package of apache
Date Sat, 17 Aug 2002 10:32:21 GMT
Sorry,

I don't familiar with OpenSSL and Apache...
So, would you mind to give me the steps ( sample ) with script of OpenSSL and
how to modify httpd.conf ( SSL Key ) of apache ?

Is there a web site on the net ?

Thank you a lots !

Edward.

Dirk-Willem van Gulik wrote:

> On Sat, 17 Aug 2002 EdwardSPL@ita.org.mo wrote:
>
> > How can I create my own CA ( make certificate : SSL ) by rpm package of
> > apache ? My Linux is Redhat 7.2 system...
>
> I usually use the script below for test purposes. It assumes a standard
> (FreeBSD) apache installation with Ralkf's default mod_ssl layout for keys
> and certs. This makes it slightly easier to test with apache compared to
> the real script: CA.pl or CA.sh which comes in the RPM.
>
> You run it like
>
>         ./sign.sh www.foo.com
>
> Essentially what the script does it
>
> ->      Create the CA infrastrucutre if not there in
>         your apache configuration. It will also create
>         a .net version of your CA key for importing into
>         Windows IE..
> ->      Create a CA for your domain if none there.
> ->      Create a cert and sign it with this CA.
>
> It is mainly for test/convenience purposes - NO passwords are set - so it
> is very insecure. And the 'Common Names' i.e .the name under which the
> cert is listed is downright ugly.
>
> Once you've got this working perfectly I suggest you look at the CA.sh
> script which comes with OpenSSL and the openssl.cnf file.
>
> That will allow you to set up a real and properly secured certificate
> authority.
>
> Dw.
>
> #!/bin/sh
> # (c) 1996 WebWeaving Consulting, All Rights Reserved.
> #          Dirk-Willem van Gulik <dirkx@webweaving.org>
> #          License: ASF License.
> #
> # $Id: misc/sign.sh,v 1.1.3.1.1.2 2000/03/04 23:29:09 dirkx Exp $
>
> # Location of your mod_ssl style ssl.crt, ssl.crl and ssl.key
> # style directories.
> #
> DIR=/usr/local/etc/apache
>
> # OpenSSL configuration file. The domain needs by default to
> # be set to $ENV::DOMAIN - see comment below.
> #
> CNF=$DIR/openssl.cnf
>
> # No user maintainable parts beyond this line.
> #
> if [ $# != 1 ]; then
>         echo Usage: sign \<Fully Qualified hostname\>
>         exit 1
> fi
>
> HOST=$1
> DOMAIN=`echo $HOST | sed -e 's/[^.]*\.//'`
> export DOMAIN
>
> CA=ca.$DOMAIN
>
> if [ ! -f .index.txt ]; then
>         touch .index.txt || exit 2
> fi
> if [ ! -d .issued ]; then
>         mkdir .issued || exit 2
> fi
> if [ ! -f .serial ]; then
>         echo 01 > .serial || exit 2
> fi
>
> cd $DIR
> if [ ! -f  ssl.key/$CA.key ]; then
>         echo Creating CA first..
>         echo
>         openssl req -new -x509 \
>                 -keyout ssl.key/$CA.key \
>                 -out ssl.crt/$CA.crt \
>                 -days 365 -nodes \
>                 || exit 3
>         openssl x509 -in ssl.crt/$CA.crt -out ssl.crt/$CA.net -outform NET
>         ( cd ssl.crt; make )
> fi
>
> echo Creating Server Certificate:
> echo
> openssl req -new \
>         -keyout ssl.key/$HOST.key \
>         -out ssl.csr/$HOST.csr \
>         -days 365 -nodes \
>         || exit 3
>
> grep ENV::DOMAIN $DIR/openssl.cnf || \
> (
>         echo "You want to replace the domain by '\$ENV::DOMAIN'
>         echo in the openss.cnf script. I.e. it should look like
>         echo domain=\$ENV::DOMAIN on line 9 of the cnf file.
>         exit 1
> )
>
> echo Signing Server Certificate:
> echo
> openssl ca \
>         -config $DIR/openssl.cnf -\
>         policy policy_anything \
>         -out ssl.crt/$HOST.crt \
>         -infiles ssl.csr/$HOST.csr \
>         || exit 3
>
> ( cd ssl.crt; make )
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message