httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy Cutright" <Andy.Cutri...@borland.com>
Subject RE: [users@httpd] mod_ssl setup problem
Date Wed, 14 Jan 2004 18:56:55 GMT
if you have built the openssl libraries, you should have an openssl exe.
that can be used to generate certificates. i'm including a script i use
to generate test certificates below. it's set up for my world, so you
will need to tweak the paths. the script will cause openssl to prompt
you for information. you can reasonably accept all defaults for testig
purposes. if you want to generate a real certificate, you're going to
need to know about the certificate generating process, which you may
already know. 

cheers, 
andy 


#!/bin/ksh

##
## this script runs the openssl exes to create appropriate key files &
certificate files 
## for a fresh install
##

usage() 
{
    echo "bulid_cert.ksh -server <server_name> -inst <inst_root>
[-debug]"
}

if [ $# -eq 0 ]; then
  usage
  exit 1
fi


DEBUG=0

while [ $# -ne 0 ] ; do
    case "$1" in
	-server )
	    SERVER=$2
	    shift
	    ;;
	 -inst )
	    INST_ROOT=$2
	    shift
	    ;;
	-debug )
	    DEBUG=1
	    ;;
	 * )
	    echo "Unknown option $1"
	    exit -1
    esac
    shift
done

if [ "${RANDFILE}" = "" ] ; then
	if [ ! -f ${HOME}/.rnd ] ; then
		echo ""
		echo "WARNING: may not be able to generate random seed
necessary"
		echo ""
	fi
fi

OPENSSL=${INST_ROOT}/bin/apache2/openssl
KEYDIR=${INST_ROOT}/var/servers/${SERVER}/apache2/conf/ssl.key
KEYFILE=${KEYDIR}/server.key

REQFILE=${INST_ROOT}/tmp/server.crt

CERTDIR=${INST_ROOT}/var/servers/${SERVER}/apache2/conf/ssl.crt
CERTFILE=${CERTDIR}/server.crt
CONFFILE=${INST_ROOT}/bin/apache2/openssl.cnf

echo "SERVER: $SERVER"
echo "INST_ROOT: $INST_ROOT"
echo "OPENSSL: $OPENSSL"
echo "KEYDIR: $KEYDIR"
echo "KEYFILE: $KEYFILE"
echo "REQFILE: $REQFILE"
echo "CERTDIR: $CERTDIR"
echo "CERTFILE: $CERTFILE"
echo "CONFFILE: $CONFFILE"

if [ "$DEBUG" = "1" ] ; then
    echo "DEBUG IS TRUE"
    exit 0
fi

## generate the private key
mkdir $KEYDIR 2>&1 > /dev/null
$OPENSSL genrsa -out $KEYFILE
### generate a cert request
$OPENSSL req -new -key $KEYFILE -out $REQFILE -config $CONFFILE
### create a temp cert
mkdir $CERTDIR 2>&1 > /dev/null
$OPENSSL req -x509 -key $KEYFILE -in $REQFILE -out $CERTFILE -config
$CONFFILE


> -----Original Message-----
> From: Ben Yau [mailto:byau@cardcommerce.com] 
> Sent: Wednesday, January 14, 2004 9:41 AM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] mod_ssl setup problem
> 
> 
> 
> > the certificate but the howto mentions that I have to use a script
> > /sign.sh to generate the server.crt as a certificate 
> authority, I can't
> > find this script. Have searched and found some makefiles 
> associated with
> > openssl directories but am not sure if they are similar.
> > Position at the moment is  I am a certificate authority and have a
> > certificate request but can't generate the server.crt file.
> > Tried to look for the source directories as it states
> >    "a script named sign.sh is distributed with the mod_ssl
> >       distribution (subdir pkg.contrib/). Use this script 
> for signing."
> > but am having no luck.
> >
> 
> Hey Gordon.
> Did the mod_ssl come compiled with your apache ? Or did you 
> download mod_ssl
> source?  And what OS are you using?
> 
> We're using redhat on an internal web server here.  I checked 
> on it and
> there also is no sign.sh
> 
> I just downloaded from www.modssl.org the latest modssl source
> (2.8.16-1.3.29) and it is  there in the tar file:
> 
> mod_ssl-2.8.16-1.3.29/pkg.conrib/sign.sh
> 
> So that's one option.
> 
> The other is this.  In the HOWTO  it does say you can use the 
> CA.sh or CA.pl
> scripts instead of going through all the steps using openssl 
> and sign.sh
> Check the beginning of that section and it says:
> 
> "How can I create and use my own Certificate Authority (CA)?"
> "The short answer is to use the CA.sh or CA.pl script 
> provided by OpenSSL.
> The long and manual answer is this:
> 1. (blah blah)
> 2. (blah blah)
> 3. "... script named sign.sh is distributed with the mod_ssl 
> distribution
> (subdir pkg.contrib/)..."
> 4.  (blah blah)
> 
> so your other option is checking to see if CA.sh or CA.pl are on your
> machine (it was on ours) and then see if you can use those instead.
> 
> Good luck.
> 
> Ben Yau
> 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message