There is a Makefile in /usr/share/ssl/certs for generating all kinds of
stuff with openssl (csr's, certs, CA, keys, etc). You can use the
makefile by running, in that directory...
"make ANYNAME.crt"
where ANYNAME is what you want the crt and key files to start with (I
like to use the server name).
This will generate a key and then guide you through the steps for
generating a crt file. The only problem is, it requires the use of a
PEM passphrase, which means every time you restart your webserver you
have to be there to type in that password. If you want to avoid this,
you can manually generate the key and make it unencrypted by typing
/usr/bin/openssl genrsa 1024 > ANYNAME.key
then run
"make ANYNAME.crt"
as above. Now you'll get guided through generating the crt as before,
but it will use an unencrypted private key and you won't have to type
the password in each time you restart apache. Of course, using an
unencrypted private key has it's own nasty implications which I'll leave
to your imagination.
Once you have the crt and key files, you can replace the ones apache
uses in the /etc/httpd/conf/httpd.conf file (by default they are
server.crt and server.key). You can either point the conf file to the
files in /usr/share/ssl/certs, make symlinks from the /etc/httpd/conf
directory, copy the files over, etc.; however you want to set it up so
that it's intuitive.
Once you restart the apache server, you'll be able to go to your site
with (hopefully) any browser, and remember the certificate permanently.
You don't need to create a CA with this configuration which I like.
A little side note: when you're create that crt file, make sure when it
asks for "Common Name" that you point the name of the site you're
clients will be pointing to. For instance, if you're server's name is
"mail.example.com", but you have a DNS cname of "webmail.example.com"
and that's the name you're clients will but using, that must be what you
use as the Common Name for your cert. If you use mail.example.com, when
people go to your site their browsers will give them an error saying the
site name doesn't make the cert name.
Good luck,
Brian
PS-I can rarely remember the syntax for this when necessary, so I often
check the /usr/share/ssl/certs/makefile for the openssl lines I need.
--
========================================
Brian Smith-Sweeney
Senior Systems Administrator
University of California, Santa Barbara
Physics Department
[EMAIL PROTECTED]
(805)-893-8366
========================================
On Tue, 2003-02-18 at 10:32, Joe Polk wrote:
> Okay, I am currently using the default cert on my Red Hat mail server to
> provide (albeit crude) encryption to my web mail login page. Of course,
> this cert is issued by localhost and will not save, so each visit a use
> is prompted to accept the cert. I want to create a unique cert, but I
> don't need a full-blown Thawte cert or anything. Do I need to create a
> CA? RH7.3 doesn't appear to have CA.pl installed with OpenSSL by
> default. I assume I will need this? Any help would be appreciated.
>
> <<JAV>>
>
>
>
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
