Sorry,
My batch can only generate certificates. it doesn't import it automatically
in Web servers.
More, I've only tested it under apache, not IIS.
It seems to be a problem when using with Netscape 6.2 and Mozilla 0.9.5.
Works fine with IE6 and Opera6.0
Will be happy with feddback for IIS and/or Netscape - Mozilla.
Very sorry for poor translation ;-))
My client batch:
***************
@echo off
cls
if "%~4" == "" goto erreur
if "%~3" == "" goto erreur
if "%~2" == "" goto erreur
if "%~1" == "client" goto commun
if "%~1" == "server" (goto commun) else goto erreur
:erreur
echo syntaxe d'appel du fichier:
echo %0 [client, server] ["Full Name", URL] ["Description of fonction",
"organism"] [E-mail]
goto end
:commun
cd "c:\web services\openssl\bin"
echo [ req ] > client-cert.conf
echo default_bits = 2048 >> client-cert.conf
echo default_keyfile = %~2.key >> client-cert.conf
echo distinguished_name = req_distinguished_name >> client-cert.conf
echo string_mask = nombstr >> client-cert.conf
echo req_extensions = v3_req >> client-cert.conf
echo [ req_distinguished_name ] >> client-cert.conf
echo 0.organizationName = >> client-cert.conf
echo 0.organizationName_value = your organisation>> client-cert.conf
echo organizationalUnitName = >> client-cert.conf
echo organizationalUnitName_value = %~3 >> client-cert.conf
echo commonName = >> client-cert.conf
echo commonName_value = %~2 >> client-cert.conf
echo commonName_max = 64 >> client-cert.conf
echo commonName_max = 64 >> client-cert.conf
echo emailAddress = >> client-cert.conf
echo emailAddress_value = %~4 >> client-cert.conf
echo emailAddress_max = 40 >> client-cert.conf
echo [ v3_req ] >> client-cert.conf
echo nsCertType = client,email,objsign >> client-cert.conf
echo basicConstraints = critical, CA:false >> client-cert.conf
echo.
echo Private Key Generation for %~1
start "" /wait openssl genrsa -out "./ssl.key/%~2.key" 2048 -rand
"../seed.rnd"
echo.
echo Certificate Request for %~1
start "" /wait openssl req -new -config "client-cert.conf" -key
"./ssl.key/%~2.key" -out "./ssl.csr/%~2.csr"
echo.
echo Signature of certificates request for %~1 by CA
start "" /wait openssl ca -batch -config "signature.conf" -days 9999 -out
"./ssl.crt/%~2.crt" -in "./ssl.csr/%~2.csr"
echo.
echo Certificate exportation for %~1 PEM x509
start "" /wait openssl x509 -in "./ssl.crt/%~2.crt" -outform PEM -out
"./ssl.pem/%~2.pem"
echo.
echo Signed Certificate Check for %~1
start "" /wait openssl verify -CAfile "./ssl.crt/ca.crt"
"./ssl.crt/%~2.crt"
echo.
del /Q client-cert.conf
echo.
echo End of batch.
echo Thank's for use.
echo Contacts: [EMAIL PROTECTED]
goto %~1
:client
echo Certificate for %~1 's exportation pkcs12
start "" /wait openssl pkcs12 -export -in "./ssl.crt/%~2.crt" -inkey
"./ssl.key/%~2.key" -certfile "./ssl.crt/ca.crt" -name "%~2" -caname "MARINE
NATIONALE" -out "./clientcert/%~2.p12"
echo.
goto end
:server
echo.
goto end
:end
***************
My CA batch (found on the net)
***************
@echo off
REM Create CA elements. Do it only ONE time
REM configurations files are the default ones given with openssl
cd "c:\web services\openssl\bin"
openssl genrsa -des3 -out "./ssl.key/ca.key" 2048 -rand ../seed.rnd
openssl req -new -config root-ca.conf -key "./ssl.key/ca.key" -out
"./ssl.csr/ca.csr"
openssl req -new -x509 -days 9999 -config root-ca.conf -key
"./ssl.key/ca.key" -out "./ssl.crt/ca.crt"
openssl x509 -in "./ssl.crt/ca.crt" -outform PEM -out "./ssl.pem/ca.pem"
***************
My VirtualHost:
***************
NameVirtualHost 127.0.0.1:443
<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache none
SSLLog logs/systeme.localhost/SSL.log
SSLLogLevel info
<VirtualHost 127.0.0.1:443>
ServerAdmin admin@localhost
ServerName systeme.localhost
DocumentRoot "d:/inetpub/wwwroot/systeme"
DirectoryIndex index.php
<Directory "d:/inetpub/wwwroot/systeme/">
Order allow,deny
Allow from localhost
</Directory>
ErrorLog logs/systeme.localhost/error.log
CustomLog logs/systeme.localhost/access.log common
CustomLog logs/systeme.localhost/ssl_request.log "%t %h %l
%u %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#"%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\""
SSLEngine On
SSLCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+StrictRequire
SSLLog logs/systeme.localhost/ssl.systeme.localhost.log
SSLLogLevel info
SSLCertificateFile "c:/web
services/Apache/conf/ssl.crt/systeme.localhost.crt"
SSLCertificateKeyFile "c:/web
services/Apache/conf/ssl.key/systeme.localhost.key"
SSLCertificateChainFile "c:/web services/Apache/conf/ssl.crt/ca.crt"
SSLCACertificatePath "c:/web services/Apache/conf/ssl.crt"
SSLCACertificateFile "c:/web services/Apache/conf/ssl.crt/ca.crt"
SSLCARevocationPath "C:/web services/Apache/conf/ssl.crl"
<Files ~ "\.(cgi|shtml|phtml|php?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Location />
Order deny,allow
Deny from all
Allow from localhost
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_CN} eq "Jean Baptiste FAVRE" \
and %{REMOTE_ADDR} =~ m/^127\.0\.0\.[0-9]+$/ )
</Location>
</VirtualHost>
</IfModule>
***************
----- Original Message -----
From: "Denny" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 12, 2002 4:53 AM
Subject: Re: newbie: Trouble Here (long. ignorable)
> on 2/9/02 12:00 AM, Aakash Malhotra at [EMAIL PROTECTED]
> wrote:
>
> >
> > Thanks David for your prompt reply
> >
> > I will attempt to download apache for windows and try it. regarding
> > certificates, is there a way to do it in windows ? any howto's or man
pages ?
> >
> > thanks again david
> >
> > -aakash
>
> I've had good luck generating certificates on a box running NT 4, for use
> with our web server (Win2K w/IIS). Someday I'll figure out how to get 'em
to
> stop warning everyone they're roll yer owns too.
>
> Unless JB's batch files can do that? Can you even do that? Besides faking
> it's from verity or some such? (Netscape on the mac doesn't get along well
> with my certs because of this. Oh well. Least I can mandate a browser.
Still
> bugs me tho...)
>
> Never mind. Just checked, and the latest version of Netscape Communicator
> for the mac doesn't choke on my certificates anymore! YAY!
>
> Just because I'm curious... I know you pay the 'official' signers money,
and
> mostly that's for verification of identity... is there something like the
> deal with pgp and the 'open' key-servers?
> I guess SSL where the connection is secure without HAVING to have a
> 'verified' identity? I'm probably way off here as I'm just a dabbler at
the
> most, in both SSL and PGP (crypto in general). Heck, I was giddy when
> openSSL compiled without errors on the first attempt (Props on that). And
> when I generated my first loadable cert... that was sheer joy.
>
> There's just something that bothers me about having to pay people to be
> 'trusted'. Maybe you don't have to. Guess yall are the ones who'd know,
> right? Am I missing some obvious bit of whatnot? (quite possible. and
> likely, even) Are there public [trusted] cert-signers? Or does that defeat
> the whole idea with SSL?
>
> Apologies for improper terminology and the like. Also this is just idle
> wondering on my part, that I'll surely get the answers to when I have to
> have 'em. Maybe even before. These aren't burning questions, and private
> reply's are kewl. Mostly I just wanted to say 'works great on my Win
boxen',
> and give some thanks/props. (;
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
