After doing a lot of head banging, i was able to get it working (so far)
# openssl version OpenSSL 0.9.7j 04 May 2006 # uname -a OpenBSD ironhost.fistofiron.com 4.2 GENERIC#375 i386 # this setting causes lot of errors, hence i have commented it. #prompt = no # this option is generating lot of errors. I referred my sites especially: http://www.faqs.org/docs/securing/chap24sec196.html below is working fine: # # cat openssl.cnf # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # Plus, # I have configured it for generating CA cert too. # RANDFILE = /dev/arandom dir = /etc/ssl # working dir for all operations [ ca ] # section for CA settings default_ca = CA_default # default CA settings section title [ CA_default ] # default settings for CA certs = $dir/certs # dir to keep issued certificates new_certs_dir = $dir/ca.db.certs # dir for new certs crl_dir = $dir/crl # dir for issued cert revoc lists serial = $dir/ca.db.serial # file contains the current serial no. database = $dir/ca.db.index # certificate database index file crl = $dir/crl.pem # the current CRL certificate = $dir/certs/ca.crt # file containing CA certificate private_key = $dir/private/ca.key # the private key corrosponding # to CA certificate default_days = 3650 # valid for 10 years default_crl_days = 30 # how long before next CRL default_md = sha1 # md5 for older software and is weaker preserve = no # whether to preserve the order of DN # fields to match the order passed in email_in_dn = no policy = policy_match # section to tell which fields in certs # must match that of CA, or are mandetory x509_extensions = usr_cert # directives for CA when signing a cert # Make new requests easier to sign - allow two subjects with same name # (Or revoke the old certificate first.) unique_subject = no # Comment out the following two lines for the "traditional" # (and highly broken) format. nameopt = default_ca certopt = default_ca [ policy_match ] # OIDs that must be same as that of CA countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. All values are system default. [ policy_anything ] # all possible options for policy... countryName = optional stateOrProvinceName = optional localityName = optional # this is not in policy_match section organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ####################################### # the req section is used by openssl req command, it creates and process # certificate requests in PKCS#10 format. also creates self signed certs # for use as root CA. [ req ] # directives to process and create cert requests default_bits = 1024 # key size for new cert request default_keyfile = privkey.pem # def key name for any newely generated cert default_md = sha1 # message digest algorithm default was md5 #prompt = no # this option is generating lot of errors. string_mask = nombstr # permitted characters distinguished_name= req_distinguished_name # suggest was root_ca__distinguished_name attributes = req_attributes # section used when generating cert x509_extensions = v3_ca # section ext to add to self signed cert req_extensions = v3_req # [non CA] Used when requesting certs, # adds more extnsions to cert request ########### # below section not used right now #[ root_ca_distinguished_name ] #commonName = FistOfIron MO #countryName = US #stateOrProvinceName = Missouri #localityName = St.Louis #0.organizationName = fistofiron.org #emailAddress = [EMAIL PROTECTED] ##################### [ req_distinguished_name ] # options needed to generate a certificate # Variable name Prompt string #------------------------- ---------------------------------- countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (city, district) 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) commonName = Common Name (FQDN, hostname, IP, or your name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 #original had 64/sample had 40 # default values for above countryName_default = US stateOrProvinceName_default = Missouri localityName_default = STL, MO 0.organizationName_default = Fist of Iron organizationalUnitName_default = WebMail commonName_default = www.fistofiron.com emailAddress_default = [EMAIL PROTECTED] # we can do this but it is not needed normally :-) #1.organizationName= Second Organization Name (eg, company) #1.organizationName_default= CryptSoft Pty Ltd [ usr_cert ] # options used by CA to sign other certs - called by ca_default section # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # false meaning this cert cannot be used as CA cert # to sign other certs, for e.g. # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash # specifies how to identify the key being certified/signed authorityKeyIdentifier=keyid,issuer:always # how to identify the pub key used to verfy sign # on this (user) key nsComment = OpenSSL_from_Fist_Of_Iron nsCaRevocationUrl = https://www.fistofiron.com/ca-crl.pem # revoc url for the root CA cert #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_ca ] # options used for creating CA cert - called by req section # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:TRUE # commented out defaults... #keyUsage= cRLSign,keyCertSign #although typical for a CA #nsCertType= sslCA,emailCA #subjectAltName = email:copy #even though recommanded by PKIX #issuerAltName = issuer:copy #even though recommanded by PKIX #obj = DER:02:03 #experts only. introduces an ext in Hex with DER [ v3_req ] # options used for adding a certificate request. basicConstraints = CA:FALSE # meaning this cert is not for doing CA job subjectKeyIdentifier = hash # how to identify this cert [ req_attributes ] challengePassword = A challenge password # displays this text challengePassword_min = 4 # min length allowed challengePassword_max = 20 # max length allowed unstructuredName = optional company name # displays this text [ x509v3_extensions ] # these are used to sign or request certs nsCaRevocationUrl = http://www.fistofiron.com/ca-crl.pem nsComment = "Fist of Iron owns its own CA and signs its own certs" # under ASN.1, the 0 bit would be encoded as 80 nsCertType = 0x40 #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName #nsCertSequence #nsCertExt #nsDataType # sign.sh is used to sign certificate, but if you read closely you might not need this file..... just commands would do as our config file is very extensive.... # cat sign.sh #!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo "Usage: sign.sign <whatever>.csr"; exit 1 fi if [ ! -f $CSR ]; then echo "CSR not found: $CSR"; exit 1 fi case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; * ) CERT="$CSR.crt" ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config <<EOT [ ca ] default_ca = CA_own [ CA_own ] dir = /etc/ssl certs = /etc/ssl/certs new_certs_dir = /etc/ssl/ca.db.certs database = /etc/ssl/ca.db.index serial = /etc/ssl/ca.db.serial RANDFILE = /dev/arandom certificate = /etc/ssl/certs/ca.crt private_key = /etc/ssl/private/ca.key default_days = 365 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT # sign the certificate echo "CA signing: $CSR -> $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 # Now to create http server certs, CA cert and sign the http server cert: 1. config openssl.cnf 2. config sign.sh 3. Create a RSA private key protected with a passphrase for your lighthttpd Server. # openssl genrsa -des3 -out httpsrvr.key 1024 file generated: -rw-r--r-- 1 root wheel 963 Dec 9 22:19 httpsrvr.key 4. Generate a Certificate Signing Request CSR with the server RSA private key. # openssl req -new -key httpsrvr.key -out httpsrvr.csr file produced: -rw-r--r-- 1 root wheel 818 Dec 9 22:23 httpsrvr.csr 5. Create a RSA private key for your CA. # openssl genrsa -des3 -out ca.key 1024 file generated: -rw-r--r-- 1 root wheel 963 Dec 9 22:36 ca.key 6. Create a self-signed CA certificate x509 structure with the RSA key of the CA. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt file(s) generated: -rw-r--r-- 1 root wheel 1025 Dec 9 22:40 ca.crt 7. moved some files: # mv httpsrvr.key ca.key private/ # mv ca.crt certs/ # 8. sign a certificate request: ./sign.sh httpsrvr.csr files generated: -rw-r--r-- 1 root wheel 2794 Dec 10 14:57 httpsrvr.crt 9. file moved: # mv httpsrvr.crt certs/ 10. these files can be used in httpd.conf file as below: SSLCertificateFile /etc/ssl/certs/httpsrvr.crt (1) SSLCertificateKeyFile /etc/ssl/private/httpsrvr.key (2) Hope it is useful to some. Thank you. -BG ________________________________ ~~Kalyan-mastu~~
