Configuring my own CA

Configuring my own CA

am 18.10.2002 03:29:52 von Brian Lavender

I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed
by the CA?

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr

Then I signed the server key with the command:

$ ./sign.sh server.csr

which produced a server.crt file. So, it looks like I have a CA and the
server certificate.

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr

Then I end up with the following files.

brian.crt ca.crt ca.db.serial server.crt
brian.csr ca.db.certs/ ca.key server.csr
brian.key ca.db.index file.p12 server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
--
Brian Lavender
http://www.brie.com/brian/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring my own CA

am 18.10.2002 07:00:38 von CorreiJ

Hi Brian

Netscape needs a pckcs12 format.

I emailed the openssl list on the 16/10/2002 with subject "Re: CSR/CA
Issued Certificate"
where among other things I show how to create CA,server and client
certificates (not keys) and how to convert them to PKSC12 format and
import them into the browser.

Cheers
Jose


-----Original Message-----
From: Brian Lavender [mailto:brian@brie.com]
Sent: 18 October 2002 03:30
To: modssl-users@modssl.org
Subject: Configuring my own CA


I am trying to configure my web server so when user brian attempts
to connect to https://myhost/brian/ it authenticates him via his
certificate and it allows him to view the directory. I successfully
compiled apache + modssl with a test certificate signed by
Snake Oil. So, here goes on the questions.

Do I need to create my own Certificate Authority? If I create my
own CA, how do I get Netscape to use it as a CA? I am using Netscape
4.7 on Solaris. If I create my own CA, does my Apache/modssl server
perform
that function?

Do I need to create a certificate for Brian? Does it have to be signed

by the CA?

Here are the answers I came up with so far.

It looks like I need to create a CA and that I can run it on the my
modssl
alongside the server.crt. Here is how I created the CA

$ openssl genrsa -des3 -out ca.key 1024

I created a self signed CA certificate.

$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

So this created my certificate authority certificate.

I created at server.key. The CN for the server.key is the FQDN of
my modssl web server.

$ openssl genrsa -des3 -out server.key 1024

I created a request (server.csr) using that server key.

openssl req -new -key server.key -out server.csr

Then I signed the server key with the command:

$ ./sign.sh server.csr

which produced a server.crt file. So, it looks like I have a CA and
the
server certificate.

I create a key for myself which I signed using the CA.

$ openssl genrsa -des3 -out brian.key 1024
$ openssl req -new -key brian.key -out brian.csr
$ sign.sh brian.csr

Then I end up with the following files.

brian.crt ca.crt ca.db.serial server.crt
brian.csr ca.db.certs/ ca.key server.csr
brian.key ca.db.index file.p12 server.key

I can't seem to import my key (brian.crt) into my Netscape browser
though. Is there some other format I need to import it into?

brian
--
Brian Lavender
http://www.brie.com/brian/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org