The Open Source Swiss Army Knife
|
|||||
| | |||||
THE FOLLOWING WAS GENERATED AFTER INSTALLING MOD_SSL WITH THE APACHE WEB SERVER
THE DIRECTIONS FOR MOD_SSL WILL TELL YOU TO DO "MAKE CERTIFICATE"
THE RESULTS OF DOING SO ARE THESE:
[root@first /root] httpd restart
[root@first /root] cd /usr/local/apache/
[root@first apache]# make certificate
make[1]: Entering directory `/usr/local/apache/src'
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:DSA
mkcert.sh:Warning: Invalid selection
Signature Algorithm ((R)SA or (D)SA) [R]:RSA
mkcert.sh:Warning: Invalid selection
Signature Algorithm ((R)SA or (D)SA) [R]:
STEP 1: Generating RSA private key (1024 bit) [server.key]
354405 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....................++++++ .................++++++
e is 65537 (0x10001)
STEP 2: Generating X.509 certificate signing request [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
1. Country Name (2 letter code) [XY]:US 2. State or Province Name (full name) [Snake Desert]:Texas 3. Locality Name (eg, city) [Snake Town]: 4. Organization Name (eg, company) [Snake Oil, Ltd]: 5. Organizational Unit Name (eg, section) [Webserver Team]: 6. Common Name (eg, FQDN) [www.snakeoil.dom]: 7. Email Address (eg, name@FQDN) [www@snakeoil.dom]: 8. Certificate Validity (days) [365]:
STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=US/ST=Texas/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver Team/CN=www.snakeoil.dom/Email=
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/Email=ca@snakeoil.dom
error 10 at 1 depth lookup:Certificate has expired
OK
STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
PASSPHRASE=snakeEncrypt the private key now? [Y/n]: Y
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Fine, you're using an encrypted RSA private key.
RESULT: Server Certification Files
| o | conf/ssl.key/server.key |
| The PEM-encoded RSA private key file which you configure | |
| with the 'SSLCertificateKeyFile' directive (automatically done | |
| when you install via APACI). KEEP THIS FILE PRIVATE! |
| o | conf/ssl.crt/server.crt |
| The PEM-encoded X.509 certificate file which you configure | |
| with the 'SSLCertificateFile' directive (automatically done | |
| when you install via APACI). |
| o | conf/ssl.csr/server.csr |
| The PEM-encoded X.509 certificate signing request file which | |
| you can send to an official Certificate Authority (CA) in order | |
| to request a real server certificate (signed by this CA instead | |
| of our demonstration-only Snake Oil CA) which later can replace | |
| the conf/ssl.crt/server.crt file. |
WARNING: Do not use this for real-life/production systems
make[1]: Leaving directory `/usr/local/apache/src'
[root@first apache]#
| Leave a Reply |