Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 21st January 2005, 03:53 PM
pigpen Offline
Registered User
 
Join Date: Nov 2003
Location: Regensburg, Germany
Age: 43
Posts: 447
SSL Certificates - Quick & Dirty

The Quick & Dirty Way to a Self-Signed Server Certificate

Quote:
# Remove old key & certificate
rm /etc/httpd/conf/ssl.key/server.key
rm /etc/httpd/conf/ssl.crt/server.crt

# Generate new key with an EMPTY PASSPHRASE!
# Use "cd /usr/share/ssl/certs; make genkey"
# instead if you really need a passphrase
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

# Set appropriate permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

# Now create the new certificate
cd /usr/share/ssl/certs
make testcert

# And restart Apache
/sbin/service httpd restart
I always forget this, so I thought I'll post it as a How-To.

NOTICE: This works on Fedora Core 3. Don't use this on FC4!
__________________
/(bb|[^b]{2})/ -- that is the question!

Last edited by pigpen; 8th February 2006 at 02:48 PM. Reason: Update
Reply With Quote
  #2  
Old 21st January 2005, 05:03 PM
Artemis Offline
Registered User
 
Join Date: Oct 2004
Location: The Netherlands
Age: 29
Posts: 220
This is interesting, I just did a search on the internet about this subject. But it wasn't all clear to me, maybe this will help. Thanx mate!!!
__________________
"Lead the troops into battle like a monkey into space, your unneeded wars will be the death of our race. Not black, not white, no single ethnicity, I mean the death of the race called humanity..." Linux user 372264

Everybody is free to add me on msn or yahoo.
Reply With Quote
  #3  
Old 22nd February 2005, 11:44 PM
breun Offline
Registered User
 
Join Date: Jul 2004
Location: The Netherlands
Posts: 73
Excellent! Thanks.
Reply With Quote
  #4  
Old 25th June 2005, 10:57 AM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
you don't mention how to create server.crt since I can't find sign.sh coming with mod_ssl I'm stuck to that part... about self-signign
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190
Reply With Quote
  #5  
Old 25th June 2005, 01:19 PM
breun Offline
Registered User
 
Join Date: Jul 2004
Location: The Netherlands
Posts: 73
make testcert should create the certificate for you.
Reply With Quote
  #6  
Old 25th June 2005, 01:47 PM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
cd /usr/share/ssl/certs - unfortunately I don't have that folder, btw: can someone provide that sign.sh which is supposed to come with mod_ssl pls if so attach it to the forum,

I really would like to complete in that way as a start then I'll test this "testcert"
Quote:
# Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

# Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):

$ ./sign.sh server.csr

This signs the server CSR and results in a server.crt file.
source: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190
Reply With Quote
  #7  
Old 25th June 2005, 02:14 PM
breun Offline
Registered User
 
Join Date: Jul 2004
Location: The Netherlands
Posts: 73
The method described above isn't compatible with the FAQ entry you quote. Don't try to mix them.

Also, on FC4 the directories for things like these have changed. See http://fedora.redhat.com/docs/releas...4/#sn-security

Last edited by breun; 1st September 2005 at 12:44 PM.
Reply With Quote
  #8  
Old 25th June 2005, 03:00 PM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
this make genkey is not working under /etc/pki....
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190
Reply With Quote
  #9  
Old 25th June 2005, 03:17 PM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
what about that method:
openssl req \
-new \
-x509 \
-days 30 \
-keyout /usr/local/apache2/conf/ssl.key/server.key \
-out /usr/local/apache2/conf/ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190
Reply With Quote
  #10  
Old 25th June 2005, 11:07 PM
jason_worthen Offline
Registered User
 
Join Date: Jun 2005
Posts: 1
Lightbulb why wouldnt you just use genkey?

maybe i dont understand the logic, but isnt it much easier to simply use genkey?

my params were:

genkey --days 365 sub.domain.com
Reply With Quote
  #11  
Old 26th June 2005, 11:12 AM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
I don't know why I don't have genkey ? also why should I set it for 1 year? since it's self-signed how could it be timeless or it must have a period set?
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190
Reply With Quote
  #12  
Old 27th June 2005, 08:24 PM
alphonsebrown Offline
Registered User
 
Join Date: Feb 2005
Location: Sofia, Bulgaria
Age: 30
Posts: 791
could someone comment why is that happening? I get the first two when browsing my web
Attached Thumbnails
Click image for larger version

Name:	Screenshot-Security Warning.png
Views:	382
Size:	23.4 KB
ID:	5302   Click image for larger version

Name:	ssl.jpg
Views:	353
Size:	4.4 KB
ID:	5303   Click image for larger version

Name:	normal ssl.jpg
Views:	309
Size:	1.4 KB
ID:	5304  
__________________
Windows doesn't just crash - it opens a dialog box and lets you press OK first. Powered by RedHat since I know my self ;) Fedora 12 #379190

Last edited by alphonsebrown; 27th June 2005 at 08:46 PM.
Reply With Quote
  #13  
Old 1st September 2005, 09:59 AM
ivago Offline
Registered User
 
Join Date: Dec 2003
Posts: 9
Hi,

I tried the above howto on a test server and it works, but now I also would like to get a 'real' certificate.. is there a howto on making a CSF (Certificate Signing Request) with FC3/4
Reply With Quote
  #14  
Old 19th January 2006, 07:55 PM
sentry Offline
Registered User
 
Join Date: Jul 2005
Posts: 591
In case your wondering the genkey tool is installed as part of the crypto-utils package. genkey is far and away the easiest way to get yourself a SSL cert.

yum install crypto-utils

It walks you through everything you need to do to get a key.
Reply With Quote
  #15  
Old 18th January 2007, 08:41 AM
mnisay Offline
Registered User
 
Join Date: May 2005
Location: PH
Posts: 696
i wonder why

make testcert

does not work anymore under FC1, FC5 and FC6, anyone???

but works with with FC4 .
Reply With Quote
Reply

Tags
certificates, dirty, quick, ssl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HDD win xp flagged dirty LT72884 Wibble 6 2nd January 2009 07:57 PM
More MS dirty tricks? Wayne Linux Chat 7 3rd November 2007 03:12 AM
Jabber - Quick and dirty setup recommend? sternfan Servers & Networking 4 8th February 2007 08:43 PM
Quick and Dirty database recovery Harps Servers & Networking 3 6th November 2006 08:26 PM
Getting dirty with ports meslick Security and Privacy 5 19th December 2005 05:15 PM


Current GMT-time: 03:51 (Thursday, 17-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat