[CLUE-Tech] apache + ssl + web server cluster + one domain name= nightmare
Jed S. Baer
thag at frii.com
Mon Nov 26 18:06:38 MST 2001
On Mon, 26 Nov 2001 17:36:24 -0700
Dan Harris <coronadh at coronasolutions.com> wrote:
> So, now that I have ported my app over to PHP4/Linux I am in need of
> another method of creating an SSL certificate. I don't want to pay $$
> to Verisign or the like for theirs. I don't care if it gives the users
> a message..
>
> I just need some way to make a FREE (not trial version) certificate for
> my use..
>
> Can anyone point me in the right direction for this?
>
> -Dan Harris
>
If you go to slashdot, and do a search on "Thawte", you'll find several
pages discussing cert cost, etc. A quick browse reveals:
http://www.freecert.org
http://www.pseudonym.org/ssl/ssl_ca.html
http://www.globalsign.com/digital_certificate/serversign/index.cfm
References also to Equifax being cheaper, and making/signing your own
certs, typical Slashdot stuff. Including these instructions:
<slashdot>
It's amazingly easy. Get OpenSSL, install it...
Make your homebrew CA private key:
openssl genrsa -des3 -out ca.key 1024
Create your CA self-signed public key:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
OK, you're set up as a homebrew Certificate Authority (CA) and ready to
start signing your own home-brew certs:
First, create a homebrew private key:
openssl genrsa -des3 -out server.key 1024
Create the unsigned public key (AKA certificate signing request) At one
point in the process, it asks for "Your Name" - if this is for personal
identification, then put in your name. However, if this is for a
development web server, then put in the web site address
"dev.www.wherever.com" when it asks for "Your Name"
openssl req -new -key server.key -out server.csr
Get the sign.sh script from the Apache mod_ssl distribution, use this to
sign the certificate:
./sign.sh server.csr
There you go, you now have the private (server.key) and public
(server.crt) keys. Install them on your webserver.
They will work, but your browser will whine about them being signed by
an untrusted source. No problem there, give a copy of CA.crt (NOT
CA.key!!) to any developers using your web server and have them install it
on their machine, from then on, their browser will consider any certs
signed by your homebrew CA key to be valid. To install the cert on IE
browsers, a hint: you do not use your browser to do it, even though there
is an "Install Cert" button on the window that pops up to let you know
that the cert is signed by an unknown CA. Instead, you give them CA.crt,
have them save it to their hard drive, then open up Windows Explorer,
right click on CA.crt, and pick Install Cert from the menu, a Certificate
Wizard will pop up, go with the defaults, then your machine will trust the
homebrew certs.
The root certificate game has always been just a money scam, especially
for dev certs.
</slashdot>
YMMV ;-)
--
If R is the set of all sets which don't contain themselves,
does R contain itself?
More information about the clue-tech
mailing list