You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ed...@ita.org.mo on 2002/08/17 10:34:50 UTC
SSL with rpm package of apache
Dear All,
How can I create my own CA ( make certificate : SSL ) by rpm package of
apache ?
My Linux is Redhat 7.2 system...
Thank for your help !
Edward.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: SSL with rpm package of apache
Posted by Ed...@ita.org.mo.
Sorry,
I don't familiar with OpenSSL and Apache...
So, would you mind to give me the steps ( sample ) with script of OpenSSL and
how to modify httpd.conf ( SSL Key ) of apache ?
Is there a web site on the net ?
Thank you a lots !
Edward.
Dirk-Willem van Gulik wrote:
> On Sat, 17 Aug 2002 EdwardSPL@ita.org.mo wrote:
>
> > How can I create my own CA ( make certificate : SSL ) by rpm package of
> > apache ? My Linux is Redhat 7.2 system...
>
> I usually use the script below for test purposes. It assumes a standard
> (FreeBSD) apache installation with Ralkf's default mod_ssl layout for keys
> and certs. This makes it slightly easier to test with apache compared to
> the real script: CA.pl or CA.sh which comes in the RPM.
>
> You run it like
>
> ./sign.sh www.foo.com
>
> Essentially what the script does it
>
> -> Create the CA infrastrucutre if not there in
> your apache configuration. It will also create
> a .net version of your CA key for importing into
> Windows IE..
> -> Create a CA for your domain if none there.
> -> Create a cert and sign it with this CA.
>
> It is mainly for test/convenience purposes - NO passwords are set - so it
> is very insecure. And the 'Common Names' i.e .the name under which the
> cert is listed is downright ugly.
>
> Once you've got this working perfectly I suggest you look at the CA.sh
> script which comes with OpenSSL and the openssl.cnf file.
>
> That will allow you to set up a real and properly secured certificate
> authority.
>
> Dw.
>
> #!/bin/sh
> # (c) 1996 WebWeaving Consulting, All Rights Reserved.
> # Dirk-Willem van Gulik <di...@webweaving.org>
> # License: ASF License.
> #
> # $Id: misc/sign.sh,v 1.1.3.1.1.2 2000/03/04 23:29:09 dirkx Exp $
>
> # Location of your mod_ssl style ssl.crt, ssl.crl and ssl.key
> # style directories.
> #
> DIR=/usr/local/etc/apache
>
> # OpenSSL configuration file. The domain needs by default to
> # be set to $ENV::DOMAIN - see comment below.
> #
> CNF=$DIR/openssl.cnf
>
> # No user maintainable parts beyond this line.
> #
> if [ $# != 1 ]; then
> echo Usage: sign \<Fully Qualified hostname\>
> exit 1
> fi
>
> HOST=$1
> DOMAIN=`echo $HOST | sed -e 's/[^.]*\.//'`
> export DOMAIN
>
> CA=ca.$DOMAIN
>
> if [ ! -f .index.txt ]; then
> touch .index.txt || exit 2
> fi
> if [ ! -d .issued ]; then
> mkdir .issued || exit 2
> fi
> if [ ! -f .serial ]; then
> echo 01 > .serial || exit 2
> fi
>
> cd $DIR
> if [ ! -f ssl.key/$CA.key ]; then
> echo Creating CA first..
> echo
> openssl req -new -x509 \
> -keyout ssl.key/$CA.key \
> -out ssl.crt/$CA.crt \
> -days 365 -nodes \
> || exit 3
> openssl x509 -in ssl.crt/$CA.crt -out ssl.crt/$CA.net -outform NET
> ( cd ssl.crt; make )
> fi
>
> echo Creating Server Certificate:
> echo
> openssl req -new \
> -keyout ssl.key/$HOST.key \
> -out ssl.csr/$HOST.csr \
> -days 365 -nodes \
> || exit 3
>
> grep ENV::DOMAIN $DIR/openssl.cnf || \
> (
> echo "You want to replace the domain by '\$ENV::DOMAIN'
> echo in the openss.cnf script. I.e. it should look like
> echo domain=\$ENV::DOMAIN on line 9 of the cnf file.
> exit 1
> )
>
> echo Signing Server Certificate:
> echo
> openssl ca \
> -config $DIR/openssl.cnf -\
> policy policy_anything \
> -out ssl.crt/$HOST.crt \
> -infiles ssl.csr/$HOST.csr \
> || exit 3
>
> ( cd ssl.crt; make )
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: SSL with rpm package of apache
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
On Sat, 17 Aug 2002 EdwardSPL@ita.org.mo wrote:
> How can I create my own CA ( make certificate : SSL ) by rpm package of
> apache ? My Linux is Redhat 7.2 system...
I usually use the script below for test purposes. It assumes a standard
(FreeBSD) apache installation with Ralkf's default mod_ssl layout for keys
and certs. This makes it slightly easier to test with apache compared to
the real script: CA.pl or CA.sh which comes in the RPM.
You run it like
./sign.sh www.foo.com
Essentially what the script does it
-> Create the CA infrastrucutre if not there in
your apache configuration. It will also create
a .net version of your CA key for importing into
Windows IE..
-> Create a CA for your domain if none there.
-> Create a cert and sign it with this CA.
It is mainly for test/convenience purposes - NO passwords are set - so it
is very insecure. And the 'Common Names' i.e .the name under which the
cert is listed is downright ugly.
Once you've got this working perfectly I suggest you look at the CA.sh
script which comes with OpenSSL and the openssl.cnf file.
That will allow you to set up a real and properly secured certificate
authority.
Dw.
#!/bin/sh
# (c) 1996 WebWeaving Consulting, All Rights Reserved.
# Dirk-Willem van Gulik <di...@webweaving.org>
# License: ASF License.
#
# $Id: misc/sign.sh,v 1.1.3.1.1.2 2000/03/04 23:29:09 dirkx Exp $
# Location of your mod_ssl style ssl.crt, ssl.crl and ssl.key
# style directories.
#
DIR=/usr/local/etc/apache
# OpenSSL configuration file. The domain needs by default to
# be set to $ENV::DOMAIN - see comment below.
#
CNF=$DIR/openssl.cnf
# No user maintainable parts beyond this line.
#
if [ $# != 1 ]; then
echo Usage: sign \<Fully Qualified hostname\>
exit 1
fi
HOST=$1
DOMAIN=`echo $HOST | sed -e 's/[^.]*\.//'`
export DOMAIN
CA=ca.$DOMAIN
if [ ! -f .index.txt ]; then
touch .index.txt || exit 2
fi
if [ ! -d .issued ]; then
mkdir .issued || exit 2
fi
if [ ! -f .serial ]; then
echo 01 > .serial || exit 2
fi
cd $DIR
if [ ! -f ssl.key/$CA.key ]; then
echo Creating CA first..
echo
openssl req -new -x509 \
-keyout ssl.key/$CA.key \
-out ssl.crt/$CA.crt \
-days 365 -nodes \
|| exit 3
openssl x509 -in ssl.crt/$CA.crt -out ssl.crt/$CA.net -outform NET
( cd ssl.crt; make )
fi
echo Creating Server Certificate:
echo
openssl req -new \
-keyout ssl.key/$HOST.key \
-out ssl.csr/$HOST.csr \
-days 365 -nodes \
|| exit 3
grep ENV::DOMAIN $DIR/openssl.cnf || \
(
echo "You want to replace the domain by '\$ENV::DOMAIN'
echo in the openss.cnf script. I.e. it should look like
echo domain=\$ENV::DOMAIN on line 9 of the cnf file.
exit 1
)
echo Signing Server Certificate:
echo
openssl ca \
-config $DIR/openssl.cnf -\
policy policy_anything \
-out ssl.crt/$HOST.crt \
-infiles ssl.csr/$HOST.csr \
|| exit 3
( cd ssl.crt; make )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org