[CLUE-Tech] apache + ssl + web server cluster + one domain name=
nightmare
Mike Staver
staver at fimble.com
Mon Nov 26 19:15:23 MST 2001
My only suggestion with making your own temp cert is to *not* use the
-des3 option, that way you have to enter a pass phrase each time you
restart apache. It makes things harder for me anyhow. Also, if you
install Red Hat 7.1 or 7.2 as your OS, and choose to install the apache
and ssl packages, it already has a temp certificate created for you, so
all your users have to do is click by that stupid warning message, and
you've got 128 bit encryption!
"Jed S. Baer" wrote:
>
> On Mon, 26 Nov 2001 17:36:24 -0700
> Dan Harris <coronadh at coronasolutions.com> wrote:
>
> > So, now that I have ported my app over to PHP4/Linux I am in need of
> > another method of creating an SSL certificate. I don't want to pay $$
> > to Verisign or the like for theirs. I don't care if it gives the users
> > a message..
> >
> > I just need some way to make a FREE (not trial version) certificate for
> > my use..
> >
> > Can anyone point me in the right direction for this?
> >
> > -Dan Harris
> >
>
> If you go to slashdot, and do a search on "Thawte", you'll find several
> pages discussing cert cost, etc. A quick browse reveals:
>
> http://www.freecert.org
> http://www.pseudonym.org/ssl/ssl_ca.html
> http://www.globalsign.com/digital_certificate/serversign/index.cfm
>
> References also to Equifax being cheaper, and making/signing your own
> certs, typical Slashdot stuff. Including these instructions:
>
> <slashdot>
> It's amazingly easy. Get OpenSSL, install it...
> Make your homebrew CA private key:
> openssl genrsa -des3 -out ca.key 1024
> Create your CA self-signed public key:
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> OK, you're set up as a homebrew Certificate Authority (CA) and ready to
> start signing your own home-brew certs:
> First, create a homebrew private key:
> openssl genrsa -des3 -out server.key 1024
> Create the unsigned public key (AKA certificate signing request) At one
> point in the process, it asks for "Your Name" - if this is for personal
> identification, then put in your name. However, if this is for a
> development web server, then put in the web site address
> "dev.www.wherever.com" when it asks for "Your Name"
> openssl req -new -key server.key -out server.csr
> Get the sign.sh script from the Apache mod_ssl distribution, use this to
> sign the certificate:
> ./sign.sh server.csr
>
> There you go, you now have the private (server.key) and public
> (server.crt) keys. Install them on your webserver.
>
> They will work, but your browser will whine about them being signed by
> an untrusted source. No problem there, give a copy of CA.crt (NOT
> CA.key!!) to any developers using your web server and have them install it
> on their machine, from then on, their browser will consider any certs
> signed by your homebrew CA key to be valid. To install the cert on IE
> browsers, a hint: you do not use your browser to do it, even though there
> is an "Install Cert" button on the window that pops up to let you know
> that the cert is signed by an unknown CA. Instead, you give them CA.crt,
> have them save it to their hard drive, then open up Windows Explorer,
> right click on CA.crt, and pick Install Cert from the menu, a Certificate
> Wizard will pop up, go with the defaults, then your machine will trust the
> homebrew certs.
>
> The root certificate game has always been just a money scam, especially
> for dev certs.
> </slashdot>
>
> YMMV ;-)
>
> --
> If R is the set of all sets which don't contain themselves,
> does R contain itself?
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
http://www.fimble.com/staver
More information about the clue-tech
mailing list