On Mon, Jul 03, 2006 at 10:47:04AM +0200, Joachim Schipper wrote: > On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote: > > On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote: > > > when I try to access the site via lynx I do get an SSL error message > > > moaning that I have a self-signed cert. After accepting this, the > > > page gets dispalyed. So it looks like the problem is with the CA? > > > How do I correct that? I found the a reference in > > > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh" > > > script wich isn't present in the OBSD package. > > > > any chance to draw some attention to the above? > > There are two basic solutions: > 1. Get a certificate from a commercial CA - Verisign, Thawte, > and the like. This will be trusted by default in most applications, > especially browsers. > 2. Create your own certificate, or whole CA chain. In this case, > you'll have to tell applications and visitors to accept the certificate. > I created my own CA, and had it sign one certificate per service. The > users then import the CA (in the ideal world) or just click 'accept > always' or the equivalent in their browser/mail client/... (in the real > world). [1] > > If you want to go with the second option, Google has lots of HOWTO's. > It's not too difficult, but it does cost some work - and, being crypto, > finding out just why it doesn't work is not trivial. > > Joachim > > [1] And then complain when the certificate expires. Well, the CA has a > much longer lifetime... >
but I was following the procedure described in: http://openbsd.org/faq/faq10.html#HTTPS which normally should cover the self-signed cert part as well - or not? Thanks George
