[clue] Fwd: materials on SSL [SOLVED]

Mike Bean beandaemon at gmail.com
Thu Jul 11 10:23:02 MDT 2013 

Thanks all.  We finally figured this out.  Among other things what was
complicating the issue was that we had more then one version of openssl on
the system, and what documents we had were hopelessly out of date.   Icing
on the cake, it was given to me, someone with little experience with tomcat
OR SSL.    (On the bright side, over the course of learning about all this,
but those facts have changed = )

Short answer, is exactly what Rossi said it would be.  It doesn't matter if
your cert is self signed, you CA.key and CA.crt still needs to be trusted,
and openssl won't trust a self-signed cert by default unless it is in the
proper directory and is linked to the hash!

Thanks for letting me vent on the mailing list guys, I know I spammed a
little yesterday.

Mike Bean


On Wed, Jul 10, 2013 at 11:29 AM, Rossi Guiliani <rossi at guiliani.me> wrote:

> The point of the CA is that you install that Certificate.  Then it becomes
> a chain of authority.
>
> Root CA <--- this dude is the boss.
>       |
> Intermediate CA - middle manager
>       |
> client cert <-- worker
>
> The Root CA will ALWAYS be self-signed.  Otherwise it is just an
> intermediate CA.  You designate trust to a CA by installing the root CA
> into your /etc/ssl/certs and rehashing.  Then you can verify by adding a
> flag for CAPath in openssl to /etc/ssl/certs.
>
>
>
> On Wed, Jul 10, 2013 at 10:26 AM, Mike Bean <beandaemon at gmail.com> wrote:
>
>> OK, here's what I'm really struggling with.  I'm trying to get SSL going
>> on a redhat-3 box.   I've done enough research to know it's not working
>> because SSL can't find the trusted cert.  I figured out that openssl won't
>> trust a self-signed certificate unless you install it a specific directory
>> and link the hash.
>>
>> All of which, can, at least on paper, be verified by running 'openssl
>> verify cert.file'
>>
>> My question is this.   Does your certificate authority (CA) cert, in and
>> of itself have to be trusted as well? What about the key?
>>
>> # openssl verify /etc/pki/tls/myca.crt
>> /etc/pki/tls/myca.crt: CN = XXXXXXXXXXXX, emailAddress =
>> XXXXXXXXXXXXXXXXXXXXXXXXXX
>> error 18 at 0 depth lookup:self signed certificate
>>
>>  ---------- Forwarded message ----------
>> From: Mike Bean <beandaemon at gmail.com>
>> Date: Wed, Jul 10, 2013 at 8:42 AM
>> Subject: Re: materials on SSL?
>> To: CLUE's mailing list <clue at cluedenver.org>
>>
>>
>> Here's another good one: http://gagravarr.org/writing/openssl-certs/
>> I know I'm kind of answering my own question as I go here, but I thought
>> I'd share with the group anyway, just in case.
>>
>>
>> On Wed, Jul 10, 2013 at 7:33 AM, Mike Bean <beandaemon at gmail.com> wrote:
>>
>>> This one's great!
>>> http://www.madboa.com/geek/openssl/
>>>
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Mike Bean <beandaemon at gmail.com>
>>> Date: Wed, Jul 10, 2013 at 7:20 AM
>>> Subject: materials on SSL?
>>> To: CLUE's mailing list <clue at cluedenver.org>
>>>
>>>
>>> Crazy question, I would think it would be all over the place, but I'm
>>> trying to research openssl and certs, and all the reference material
>>> necessary to get started, but I'm finding a surprising lack.  Anyone got
>>> any good SSL/certificates references/material they can recommend?
>>>
>>> Mike Bean
>>>
>>>
>>
>>
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130711/074cd807/attachment.html

More information about the clue mailing list