generate a self signed SSL certificate on FC5 to test https

[linux_learner]

I would like to use openSSL to generate a self signed SSL cert to be used on the default HTTPD that comes with FC5. How should I go about doing this?

Thanks.

[ccrvic]

Quote:

Originally Posted by linux_learner

I would like to use openSSL to generate a self signed SSL cert to be used on the default HTTPD that comes with FC5. How should I go about doing this?

If you're not happy following one of the howtos & running openssl from the command line, install Webmin & get the "Certificate Manager" (IIRC) module. Makes life much easier :-)

Vic.

[linux_learner]

Thanks for pointing me to the how-to. I'll search and locate the document.

[pparks1]

Quote:

If you're not happy following one of the howtos

My guess is that you didn't find this very helpful

**********************************************
Here is what I would do; (this should put you on the right track)

Code:

openssl req -new -nodes -out server.csr -keyout server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 999
chmod 600 server.*
cp -a server.crt /etc/pki/tls/certs/
cp -a server.key /etc/pki/tls/private/

Then, edit /etc/httpd/conf.d/ssl.conf

Look for the following;

Code:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Change to

Code:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

Finally, restart apache with

Code:

service httpd restart

[linux_learner]

Thanks for your valuable contribution. I will work on this. This is useful stuff.

[Paavo]

Quote:

Originally Posted by pparks1

Code:

openssl req -new -nodes -out server.csr -keyout server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 999
chmod 600 server.*
cp -a server.crt /etc/pki/tls/certs/
cp -a server.key /etc/pki/tls/private/

Then, edit /etc/httpd/conf.d/ssl.conf

Code:

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key

THANKS, this was excatly what I was looking for. I wanted to get rid of these error messages in /var/log/httpd/ssl_error_log:

Code:

RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

I also modified the server name in /etc/httpd/conf.d/ssl.conf:

Code:

# diff ssl.conf ssl.conf.orig
81c81
< <VirtualHost myserver.domain.com:443>
---
> <VirtualHost _default_:443>
85c85
< ServerName myserver.domain.com:443
---
> #ServerName www.example.com:443

-Paavo

[farhad.khan]

I followed this setup in an FC7 box. After setting it all up and restarting apache I can see that the server is listening on port 443 but am not able to access webpages in the server using https. http is working as usual.

Selinux is disabled. Router ports 80 and 443 are forwarded to the linux box.

Any thoughts anyone?

Thanks.

[Paavo]

firewall configuration?

[farhad.khan]

Thanks a lot. It was the linux firewall blocking port 443 It is now working.

[farhad.khan]

Now that it is working, I have another problem ... every time the system boots up and runs httpd it waits at the pass-phrase prompt and does not proceed with the boot until the pass-phrase for httpd has been entered.

Can this pass-phrase be left blank? It did not let me put a blank pass-phrase.

[Paavo]

I followed pparks1's instructions, and I don't need to enter pass-phrase again.

If you try to fix it and want to test if it works or not, doing "/etc/init.d/httpd restart" is much faster than reboot.

[farhad.khan]

OK it worked. Before I had specified an RSA encryption for the local files. That should have been ignored. Also thanks for the quick tip of restarting apache only. I know it but when troubleshooting things like this are easily missed. I had taken httpd out of the active runlevel, so that the prompt for httpd RSA passphrase doesn't block the regular boot.