httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <warp-...@usa.net>
Subject Re: [users@httpd] Apache 2 SSL Problem
Date Thu, 09 Oct 2003 18:54:21 GMT
----- Original Message ----- 
From: "suomi" <apache@ayni.com>
To: <users@httpd.apache.org>
Sent: Thursday, October 09, 2003 1:41 PM
Subject: Re: [users@httpd] Apache 2 SSL Problem


> Regarding your first problem there you present to little info to say
> anything.
> regarding the CA certificate:
>
> you present poor apache a CA certificate, which you should not.
>  create a simple certificate based on this CA certificate and configure
> this certificate to apache.
> howto create a certificate:
>
> man openssl

Just to elaborate, here's some basic steps to follow to make a self-signed
certificate for testing purposes only:

1) mkdir ssl; chown root.root ssl; chmod 700 ssl; cd ssl

Make a protected, root owned ssl directory to hold your KEY, CSR, and CRT
files.

2) openssl genrsa -des3 1024 > www.xxx.com.key

Make the key.  If you're going to get a real certificate, then this file is
very important.  Do not lose.  Do not let it fall into wrong hands, etc..
Doing so will at the least cost you a new certificate, and at most all the
data protected by this certificate/key pair.  Note about the -des3 option:
specifying this option allows you to further encrypt the key with a pass
phrase.  This has the advantage of more protection, in the event the key
file is stolen, it is still protected.  This has the disadvantage, that
every time you start the server (i.e. during bootup, "apachectl startssl"),
you have to physically be at the computer console and enter the pass phrase
for each and every certificate.  To my knowledge there is no way to specify
the credentials programattically, due to further security concerns (extreme
paranoia).

3) openssl req -new -key www.xxx.com.key > www.xxx.com.csr

Create the Certificate Signing Request (CSR).  The Common Name (CN)
specified here must match the address of the server exactly, (server.com and
www.server.com are two different things).

4) openssl req -x509 -days 30 -key www.xxx.com.key -in www.xxx.com.csr >
www.xxx.com.crt

Self-sign your certificate as if you were a Certificate Authority (CA).
This is the one-liner you pay all that money for.  Adjust the -days options
accordingly.

5) chown root.root *; chmod 400 *

Further protect your KEY, CSR, and CRT files.

Hope this helps,

Leif

> suomi
>
> Peter Fleck wrote:
>
> > [Followup thread to "Apache 2 VirtualHost and SSL" with new corrected
> > info. I've tried to get more specific in asking for help.]
> >
> > I'm looking for help in serving pages via SSL.
> >
> > I'm using Apache 2.x running on Linux 9. Using name-based virtual
> > hosting and understand I can only have a single SSL virtual host.
> >
> > SSL is working and the server is listening on port 443. I've confirmed
> > this with the curl tool and with netstat. The curl tool actually
> > returns my index page.
> >
> > curl also generates log entries in "ssl_access_log" and
> > "ssl_request_log."
> >
> > But if I try to access the server with a browser, using an "https"
> > url, the connection is refused and nothing is logged.
> >
> > Here's a brief summary of my setup. The port 80 sites are serving with
> > no problem.
> >
> > Main/default ServerName designation is www.cancer.umn.edu. This is
> > also listed as ServerName for one of the virtual sites. AND it's the
> > ServerName for the secure virtual site. Could this cause a problem.
> >
> > I do have "NameVirtualHost 160.94.109.179:80" and then list the
> > Virtual sites using IPs and ports as suggested on this list. So two
> > VirtualHosts are 160.94.109.179:80 with two different ServerNames and
> > the third is 160.94.109.179:443 with the 'www.cancer.umn.edu'
> > ServerName specified.
> >
> > One more thing, when I restart Apache, the following error is
> > generated in "ssl_error_log." Since I generated my own certificate and
> > key for testing, I thought it might have to do with that.
> >
> > [warn] RSA server certificate is a CA certificate (BasicConstraints:
> > CA == TRUE !?)
> >
> > Thanks.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message