Thank you! But now I'm spending my time with another issue with this: I
cannot create certificate longer than I month:
This is my CA certificate validity:
...
Not Before: Aug 3 10:07:14 2011 GMT
Not After : Aug 2 10:07:14 2012 GMT
...
This is my server's certificate validity (created today):
...
Not Before: Aug 4 07:27:29 2011 GMT
Not After : Sep 3 07:27:29 2011 GMT
...
The server certificate was created by command:
openssl req -new -key server.key -out server.csr -days 365
As you can see, the "-days X" did not helped...
Thank you
On Thu, 4 Aug 2011, yyy wrote:
Everything seems to be fine, only for new installations it is recomended to use
at least 2048 bit key
and, at least some time ago, openssl used to default to MD5 for certificate
signatures,
check, if it is not the case.
Citējot Tomas Macek <ma...@fortech.cz>:
We have some web servers and I want to create self signed certificates for
them.
What do I want:
- I want to create my own certification authority keys and
certificate, that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own
certification authority (previous step) and include them to the
apache/httpd configuration. I don't want our employees to be warned that
the certificate is not trusted (I cannot buy a REAL trusted certificate)
Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
reading CA.pl from openssl-perl and discussions on inet for 2 days
gave me these steps, that I already performed:
1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr
3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
> server.crt
4) I have imported the ca.crt into the web browser
5) the server.key and server.crt were included to the apache/httpd
configuration
After these steps the web page looks secured and no warning appears when I
enter the page.
Question:
---------------
Do you see any bad thing about these steps or can you please recommend me
any further step in order to make things properly?
Best regards
Tomas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
-- Tavs bezmaksas pasts Inbox.lv
______________________________________________________________________ OpenSSL
Project
http://www.openssl.org User Support Mailing List openssl-users@openssl.org
Automated List Manager
majord...@openssl.org
