Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 6144 invoked by uid 500); 17 Aug 2002 10:32:45 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 6131 invoked from network); 17 Aug 2002 10:32:44 -0000 Received: from unknown (HELO itahost1.ita.org.mo) (202.175.64.238) by daedalus.apache.org with SMTP; 17 Aug 2002 10:32:44 -0000 Received: from ita.org.mo (c35line234.dialup1.ctm.net [202.175.52.235]) by itahost1.ita.org.mo (8.9.3/8.9.3) with ESMTP id SAA01488 for ; Sat, 17 Aug 2002 18:15:40 +0800 Message-ID: <3D5E2635.72392238@ita.org.mo> Date: Sat, 17 Aug 2002 18:32:21 +0800 From: EdwardSPL@ita.org.mo X-Mailer: Mozilla 4.7 [en] (WinNT; I) X-Accept-Language: en,zh-TW MIME-Version: 1.0 To: users@httpd.apache.org Subject: Re: SSL with rpm package of apache References: <20020817115307.C81502-100000@foem.leiden.webweaving.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Sorry, I don't familiar with OpenSSL and Apache... So, would you mind to give me the steps ( sample ) with script of OpenSSL and how to modify httpd.conf ( SSL Key ) of apache ? Is there a web site on the net ? Thank you a lots ! Edward. Dirk-Willem van Gulik wrote: > On Sat, 17 Aug 2002 EdwardSPL@ita.org.mo wrote: > > > How can I create my own CA ( make certificate : SSL ) by rpm package of > > apache ? My Linux is Redhat 7.2 system... > > I usually use the script below for test purposes. It assumes a standard > (FreeBSD) apache installation with Ralkf's default mod_ssl layout for keys > and certs. This makes it slightly easier to test with apache compared to > the real script: CA.pl or CA.sh which comes in the RPM. > > You run it like > > ./sign.sh www.foo.com > > Essentially what the script does it > > -> Create the CA infrastrucutre if not there in > your apache configuration. It will also create > a .net version of your CA key for importing into > Windows IE.. > -> Create a CA for your domain if none there. > -> Create a cert and sign it with this CA. > > It is mainly for test/convenience purposes - NO passwords are set - so it > is very insecure. And the 'Common Names' i.e .the name under which the > cert is listed is downright ugly. > > Once you've got this working perfectly I suggest you look at the CA.sh > script which comes with OpenSSL and the openssl.cnf file. > > That will allow you to set up a real and properly secured certificate > authority. > > Dw. > > #!/bin/sh > # (c) 1996 WebWeaving Consulting, All Rights Reserved. > # Dirk-Willem van Gulik > # License: ASF License. > # > # $Id: misc/sign.sh,v 1.1.3.1.1.2 2000/03/04 23:29:09 dirkx Exp $ > > # Location of your mod_ssl style ssl.crt, ssl.crl and ssl.key > # style directories. > # > DIR=/usr/local/etc/apache > > # OpenSSL configuration file. The domain needs by default to > # be set to $ENV::DOMAIN - see comment below. > # > CNF=$DIR/openssl.cnf > > # No user maintainable parts beyond this line. > # > if [ $# != 1 ]; then > echo Usage: sign \ > exit 1 > fi > > HOST=$1 > DOMAIN=`echo $HOST | sed -e 's/[^.]*\.//'` > export DOMAIN > > CA=ca.$DOMAIN > > if [ ! -f .index.txt ]; then > touch .index.txt || exit 2 > fi > if [ ! -d .issued ]; then > mkdir .issued || exit 2 > fi > if [ ! -f .serial ]; then > echo 01 > .serial || exit 2 > fi > > cd $DIR > if [ ! -f ssl.key/$CA.key ]; then > echo Creating CA first.. > echo > openssl req -new -x509 \ > -keyout ssl.key/$CA.key \ > -out ssl.crt/$CA.crt \ > -days 365 -nodes \ > || exit 3 > openssl x509 -in ssl.crt/$CA.crt -out ssl.crt/$CA.net -outform NET > ( cd ssl.crt; make ) > fi > > echo Creating Server Certificate: > echo > openssl req -new \ > -keyout ssl.key/$HOST.key \ > -out ssl.csr/$HOST.csr \ > -days 365 -nodes \ > || exit 3 > > grep ENV::DOMAIN $DIR/openssl.cnf || \ > ( > echo "You want to replace the domain by '\$ENV::DOMAIN' > echo in the openss.cnf script. I.e. it should look like > echo domain=\$ENV::DOMAIN on line 9 of the cnf file. > exit 1 > ) > > echo Signing Server Certificate: > echo > openssl ca \ > -config $DIR/openssl.cnf -\ > policy policy_anything \ > -out ssl.crt/$HOST.crt \ > -infiles ssl.csr/$HOST.csr \ > || exit 3 > > ( cd ssl.crt; make ) > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org