<---- template headericclude ----->
SSL Certificates - Quick & Dirty
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Join Date
    Nov 2003
    Location
    Regensburg, Germany
    Age
    53
    Posts
    447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    SSL Certificates - Quick & Dirty

    The Quick & Dirty Way to a Self-Signed Server Certificate

    # Remove old key & certificate
    rm /etc/httpd/conf/ssl.key/server.key
    rm /etc/httpd/conf/ssl.crt/server.crt

    # Generate new key with an EMPTY PASSPHRASE!
    # Use "cd /usr/share/ssl/certs; make genkey"
    # instead if you really need a passphrase
    /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

    # Set appropriate permissions
    chmod go-rwx /etc/httpd/conf/ssl.key/server.key

    # Now create the new certificate
    cd /usr/share/ssl/certs
    make testcert

    # And restart Apache
    /sbin/service httpd restart
    I always forget this, so I thought I'll post it as a How-To.

    NOTICE: This works on Fedora Core 3. Don't use this on FC4!
    Last edited by pigpen; 8th February 2006 at 03:48 PM. Reason: Update
    /(bb|[^b]{2})/ -- that is the question!

  2. #2
    Artemis Guest
    This is interesting, I just did a search on the internet about this subject. But it wasn't all clear to me, maybe this will help. Thanx mate!!!

  3. #3
    Join Date
    Jul 2004
    Location
    The Netherlands
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excellent! Thanks.

  4. #4
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you don't mention how to create server.crt since I can't find sign.sh coming with mod_ssl I'm stuck to that part... about self-signign
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  5. #5
    Join Date
    Jul 2004
    Location
    The Netherlands
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    make testcert should create the certificate for you.

  6. #6
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cd /usr/share/ssl/certs - unfortunately I don't have that folder, btw: can someone provide that sign.sh which is supposed to come with mod_ssl pls if so attach it to the forum,

    I really would like to complete in that way as a start then I'll test this "testcert"
    # Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

    # Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):

    $ ./sign.sh server.csr

    This signs the server CSR and results in a server.crt file.
    source: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  7. #7
    Join Date
    Jul 2004
    Location
    The Netherlands
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The method described above isn't compatible with the FAQ entry you quote. Don't try to mix them.

    Also, on FC4 the directories for things like these have changed. See http://fedora.redhat.com/docs/releas...4/#sn-security
    Last edited by breun; 1st September 2005 at 12:44 PM.

  8. #8
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    this make genkey is not working under /etc/pki....
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  9. #9
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what about that method:
    openssl req \
    -new \
    -x509 \
    -days 30 \
    -keyout /usr/local/apache2/conf/ssl.key/server.key \
    -out /usr/local/apache2/conf/ssl.crt/server.crt \
    -subj '/CN=Test-Only Certificate'
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  10. #10
    jason_worthen Guest

    Lightbulb why wouldnt you just use genkey?

    maybe i dont understand the logic, but isnt it much easier to simply use genkey?

    my params were:

    genkey --days 365 sub.domain.com

  11. #11
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know why I don't have genkey ? also why should I set it for 1 year? since it's self-signed how could it be timeless or it must have a period set?
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  12. #12
    Join Date
    Feb 2005
    Location
    Sofia, Bulgaria
    Age
    40
    Posts
    791
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    could someone comment why is that happening? I get the first two when browsing my web
    Attached Images Attached Images
    Last edited by alphonsebrown; 27th June 2005 at 08:46 PM.
    Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

  13. #13
    Join Date
    Dec 2003
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I tried the above howto on a test server and it works, but now I also would like to get a 'real' certificate.. is there a howto on making a CSF (Certificate Signing Request) with FC3/4

  14. #14
    Join Date
    Jul 2005
    Posts
    590
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In case your wondering the genkey tool is installed as part of the crypto-utils package. genkey is far and away the easiest way to get yourself a SSL cert.

    yum install crypto-utils

    It walks you through everything you need to do to get a key.

  15. #15
    Join Date
    May 2005
    Location
    PH
    Posts
    696
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i wonder why

    make testcert

    does not work anymore under FC1, FC5 and FC6, anyone???

    but works with with FC4 .

Page 1 of 2 12 LastLast

Similar Threads

  1. HDD win xp flagged dirty
    By LT72884 in forum Wibble
    Replies: 6
    Last Post: 2nd January 2009, 08:57 PM
  2. More MS dirty tricks?
    By Wayne in forum Linux Chat
    Replies: 7
    Last Post: 3rd November 2007, 03:12 AM
  3. Jabber - Quick and dirty setup recommend?
    By sternfan in forum Servers & Networking
    Replies: 4
    Last Post: 8th February 2007, 09:43 PM
  4. Quick and Dirty database recovery
    By Harps in forum Servers & Networking
    Replies: 3
    Last Post: 6th November 2006, 09:26 PM
  5. Getting dirty with ports
    By meslick in forum Security and Privacy
    Replies: 5
    Last Post: 19th December 2005, 06:15 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]