scripts/ssl_mgmt/debian-admin_openssl_howto....

3484 lines
91 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="en" />
<meta name="description" content="Tips for a Debian GNU/Linux System Administrator." />
<meta name="keywords" content="Debian System Administration News, Debian Sysadmin, Linux Administration, Linux Sysadmin, Sysadmin" />
<meta name="copyright" content="(c) 2004-2013 Debian Administration" />
<meta name="author" content="Debian Administration" />
<meta name="robots" content="index,follow" />
<meta name="resource-type" content="document" />
<meta name="classification" content="Personal" />
<meta name="language" content="en" />
<link rel="icon" href="/favicon.ico" />
<link rel="shortcut icon" href="/favicon.ico" />
<link rel="top" title="home" href="/" />
<link rel="stylesheet" type="text/css" media="print, handheld" href="/css/print.css" />
<link rel="stylesheet" type="text/css" href="/css/view.css" media="screen" title="Site Layout" />
<link rel="search" title="Search" href="/about/search" />
<link rel="alternate" title="Debian Administration RSS" href="/articles.rdf" type="application/rdf+xml" />
<link rel="alternate" title="Atom" href="/atom.xml" type="application/atom+xml" />
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>Creating and Using a self signed SSL Certificates in debian</title>
<!--[if lte IE 6]>
<style type='text/css'>
* html #main, * html #container {height:1%}
</style>
<![endif]-->
<!--[if !lt IE 6]><!-->
<link rel="stylesheet" type="text/css" href="/css/jquery.socialshareprivacy.min.css">
<!-- jQuery: remotely, then locally -->
<link rel="stylesheet" type="text/css" href="/css/jquery.autocomplete.css" />
<script src="/js/jquery-1.9.0.min.js" type="text/javascript"></script>
<script src="/js/jquery.autocomplete.js" type="text/javascript"></script>
<script src="/js/jquery.autogrow.js" type="text/javascript"></script>
<script type="text/javascript">
/* <![CDATA[ */
(function() {
var s = document.createElement('script'), t = document.getElementsByTagName('script')[0];
s.type = 'text/javascript';
s.async = true;
s.src = '//api.flattr.com/js/0.6/load.js?mode=auto';
t.parentNode.insertBefore(s, t);
})();
/* ]]> */
</script>
<script type="text/javascript" src="/js/jquery.sidebarToggler.102.js"></script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
$(function() {
$("#rightcol").toggleSidebar({animation: "queuedEffects",
initState:"shown",
event:"click",
triggerShow: "Menu"});
});
//--><!]]>
</script>
<!--<![endif]-->
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-37997217-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div id="header">
<h1><a href="/">Debian Administration</a></h1>
<ul>
<li><a href="/about/Debian%20Administration">About</a></li>
<li><a href="/archive/">Archive</a></li>
<li><a href="/about/Contribute">Contribute</a></li>
<li><a href="/about/FAQ">FAQ</a></li>
<li><a href="/about/Search">Search</a></li>
<li><a href="/tag/">Tags</a></li>
</ul>
</div>
<div id="wrapper">
<div id="content">
<div id="container">
<div id="inner">
<div id="main">
<script type="text/javascript" src="/js/jquery.socialshareprivacy.min.js"></script>
<script type="text/javascript">
<!--//--><![CDATA[//><!--
$.fn.socialSharePrivacy.settings.path_prefix = '/';
$(function() {
$('.share').socialSharePrivacy();
});
//--><!]]>
</script>
<div class="article">
<!-- headline + section name -->
<h2 class="title">Creating and Using a self signed SSL Certificates in debian</h2>
<div class="tagline"><p>Posted by <a href="/users/Marcus_Redivo">Marcus_Redivo</a> on Thu 3 Nov 2005 at 12:30 </p></div>
<!-- tag start -->
<script>
function addTag(url)
{
$("#current_tags").load( url,
function() {
$("#new_tag").val( "" )
$("#add_tag").hide()
})
}
$(document).ready(function(){
$("#new_tag").autocomplete("/cgi-bin/ajax.cgi?tag_complete=1;");
$('a#toggle').click(function() {
$('#add_tag').toggle(400);
})
} )
</script>
<div class="tags">
<span id="current_tags">Tags:
<a href="/tag/apache" title="Find more content with this tag" rel="tag">apache</a>,
<a href="/tag/certificate" title="Find more content with this tag" rel="tag">certificate</a>,
<a href="/tag/encryption" title="Find more content with this tag" rel="tag">encryption</a>,
<a href="/tag/imap" title="Find more content with this tag" rel="tag">imap</a>,
<a href="/tag/openssl" title="Find more content with this tag" rel="tag">openssl</a>,
<a href="/tag/security" title="Find more content with this tag" rel="tag">security</a>,
<a href="/tag/ssl" title="Find more content with this tag" rel="tag">ssl</a>
</span>
</div>
<!-- tag end -->
<p>This document covers a very specific, limited purpose, but one that meets a common need: preventing browser, mail, and other clients from complaining about the certificates installed on your server. Not covered is dealing with a commercial root certificate authority (CA). Instead, we will become our own root CA, and sign our own certificates.</p>
<p>(These procedures were developed using OpenSSL 0.9.6.)</p>
<b>Quick Start</b>
<p>Those who want to start creating certificates right away without reading this whole document should skip to the summary at the end.</p>
<p>Note: a self-signed cert can be created with the simple command mod-ssl-makecert, part of the Debian package <a href="http://packages.debian.org/libapache-mod-ssl">libapache-mod-ssl</a>. </p>
<b>Background</b>
<blockquote>
<p>Why be our own root CA? So that we can take advantage of SSL encryption without spending unnecessary money on having our certificates signed.</p>
<p>A drawback is that browsers will still complain about our site not being trusted until our root certificate is imported. However, once this is done, we are no different from the commercial root CAs.</p>
<p>Clients will only import our root certificate if they trust us. This is where the commercial CAs come in: they purport to do extensive research into the people and organizations for whom they sign certificates. By importing (actually, by the browser vendors incorporating) their trusted root certificates, we are saying that we trust them when they guarantee that someone else is who they say they are. We can trust additional root CAs (like ourselves) by importing their CA certificates. </p>
<p><b>Note</b>: If you are in the business of running a commercial secure site, obtaining a commercially signed certificate is the only realistic choice.</p>
</blockquote>
<b>Prerequisites</b>
<blockquote>
<p>You will need an installed copy of OpenSSL for this, which is available from <a href="http://www.openssl.org/" rel="nofollow">http://www.openssl.org/</a> Chances are it is already installed on your machine. This document will not cover the installation procedure.
<pre>
> apt-get install openssl
</pre>
</blockquote>
<b>Initial Setup</b>
<blockquote>
<p>First, we will create a directory where we can work. It does not matter where this is; I am arbitrarily going to create it in my home directory. </p>
<pre>
mkdir CA
cd CA
mkdir newcerts private
</pre>
<p>The CA directory will contain: </p>
<ul>
<li>Our Certificate Authority (CA) certificate </li>
<li>The database of the certificates that we have signed </li>
<li>The keys, requests, and certificates we generate </li>
</ul>
<p>It will also be our working directory when creating or signing certificates. </p>
<p>The <tt>CA/newcerts</tt> directory will contain: </p>
<ul>
<li>A copy of each certificate we sign </li>
</ul>
<p>The <tt>CA/private</tt> directory will contain:</p>
<ul>
<li>Our CA private key </li>
</ul>
<p>This key is important - Do not lose this key. Without it, you will not be able to sign or renew any certificates. Do not disclose this key to anyone. If it is compromised, others will be able to impersonate you.</p>
<p>Our next step is to create a database for the certificates we will sign: </p>
<pre>
echo '01' > serial
touch index.txt
</pre>
<p>Rather than use the configuration file that comes with OpenSSL, we are going to create a minimal configuration of our own in this directory. Start your editor (vi, pico, ...) and create a basic <tt>openssl.cnf</tt>: </p>
<pre>
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
</pre>
</blockquote>
<b>Creating a Root Certificate</b>
<blockquote>
<p>With OpenSSL, a large part of what goes into a certificate depends on the contents of the configuration file, rather than the command line. This is a good thing, because there is a lot to specify. </p>
<p>The configuration file is divided into sections, which are selectively read and processed according to openssl command line arguments. Sections can include one or more other sections by referring to them, which helps to make the configuration file more modular. A name in square brackets (e.g. " req ") starts each section. </p>
<p>We now need to add the section that controls how certificates are created, and a section to define the type of certificate to create. </p>
<p>The first thing we need to specify is the <tt>Distinguished Name</tt>. This is the text that identifies the owner of the certificate when it is viewed. It is not directly referenced in the configuration file, but is included into the section processed when certificate requests are created. The command is "<tt>openssl req</tt>", so the section is titled <tt>req</tt>.</p>
<p>Add the following to <tt>openssl.cnf</tt>: </p>
<pre>
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = The Sample Company
localityName_default = Metropolis
stateOrProvinceName_default = New York
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
</pre>
<p>In order to protect ourselves from unauthorized use of our CA certificate, it is passphrase protected. Each time you use the CA certificate to sign a request, you will be prompted for the passphrase. Now would be a good time to pick a secure passphrase and put it in a safe place. </p>
<p>All the preparation is now in place for creating our self-signed root certificate. For this, we want to override some of the defaults we just put into the configuration, so we will specify our overrides on the command line. </p>
<p>Our overrides to the "openssl req" command are: </p>
<p>Create a new self-signed certificate: "<tt>-new -x509</tt>".</p>
<p>Create a CA certificate: "<tt>-extensions v3_ca </tt>".</p>
<p>Make it valid for more than 30 days: -"<tt>days 3650 </tt>".</p>
<p>Write output to specific locations: "<tt>-keyout, -out </tt>".</p>
<p>Use our configuration file: "<tt>-config ./openssl.cnf </tt>".</p>
<p>(A note on the term of validity of root certificates: When a root certificate expires, all of the certificates signed with it are no longer valid. To correct this situation, a new root certificate must be created and distributed. Also, all certificates signed with the expired one must be revoked, and re-signed with the new one. As this can be a lot of work, you want to make your root certificate valid for as long as you think you will need it. In this example, we are making it valid for ten years.) </P>
<p>Run the command as shown. In this case, the PEM pass phrase it asks for is a new one, which you must enter twice: </p>
<pre>
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \
-out cacert.pem -days 3650 -config ./openssl.cnf
Using configuration from ./openssl.cnf
Generating a 1024 bit RSA private key
.......++++++
..........................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:demo
Verifying password - Enter PEM pass phrase:demo
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [The Sample Company]:
Organizational Unit Name (department, division) []:CA Division
Email Address []:ca@sample.com
Locality Name (city, district) [Metropolis]:
State or Province Name (full name) [New York]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) []:TSC Root CA
</pre>
<p>This process produces two files as output: </p>
<ul>
<li>A private key in <tt>private/cakey.pem </tt>.</li>
<li>A root CA certificate in <tt>cacert.pem</tt>.</li>
</ul>
<p><tt>cacert.pem</tt> is the file you want to distribute to your clients. </p>
<p>The private key (<tt>cakey.pem</tt>) looks like this: </p>
<pre>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0947F49BB28FE5F4
jlQvt9WdR9Vpg3WQT5+C3HU17bUOwvhp/r0+viMcBUCRW85UqI2BJJKTi1IwQQ4c
tyTrhYJYOP+A6JXt5BzDzZy/B7tjEMDBosPiwH2m4MaP+6wTbi1qR1pFDL3fXYDr
ZsuN08dkbw9ML6LOX5Rl6bIBL3i5hnGiqm338Fl52gNstThv0C/OZhXT3B4qsJn8
qZb3mC6U2nRaP/NpZPcEx4lv2vH7OzHTu1TZ7t0asSpgpuH58dfHPw775kZDep2F
LXA3Oeavg0TLFHkaFBUx2xaeEG6Txpt9I74aAsw1T6UbTSjqgtsK0PHdjPNfPGlY
5U3Do1pnU9hfoem/4RAOe0cCovP/xf6YPBraSFPs4XFfnWwgEtL09ReFqO9T0aSp
5ajLyBOYOBKQ3PCSu1HQDw/OzphInhKxdYg81WBBEfELzSdMFQZgmfGrt5DyyWmq
TADwWtGVvO3pEhO1STmCaNqZQSpSwEGPGo5RFkyFvyvyozWX2SZg4g1o1X40qSg9
0FMHTEB5HQebEkKBoRQMCJN/uyKXTLjNB7ibtVbZmfjsi9oNd3NJNVQQH+o9I/rP
wtFsjs+t7SKrsFB2cxZQdDlFzD6EBA+5ytebGEI1lJHcOUEa6P+LTphlwh/o1QuN
IKX2YKHA4ePrBzdgZ+xZuSLn/Qtjg/eZv6i73VXoHk8EdxfOk5xkJ+DnsNmyx0vq
W53+O05j5xsxzDJfWr1lqBlFF/OkIYCPcyK1iLs4GOwe/V0udDNwr2Uw90tefr3q
X1OZ9Dix+U0u6xXTZTETJ5dF3hV6GF7hP3Tmj9/UQdBwBzr+D8YWzQ==
-----END RSA PRIVATE KEY-----
</pre>
<p>Of course, you don't want to show this to anyone! Needless to say, the one shown here is now useless as a private key. </p>
<p>The certificate (<tt>cacert.pem</tt>) looks like this: </p>
<pre>
-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEbMBkGA1UEChMSVGhl
IFNhbXBsZSBDb21wYW55MRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEcMBoGCSqGSIb3
DQEJARYNY2FAc2FtcGxlLmNvbTETMBEGA1UEBxMKTWV0cm9wb2xpczERMA8GA1UE
CBMITmV3IFlvcmsxCzAJBgNVBAYTAlVTMRQwEgYDVQQDEwtUU0MgUm9vdCBDQTAe
Fw0wMTEyMDgwNDI3MDVaFw0wMjEyMDgwNDI3MDVaMIGcMRswGQYDVQQKExJUaGUg
U2FtcGxlIENvbXBhbnkxFDASBgNVBAsTC0NBIERpdmlzaW9uMRwwGgYJKoZIhvcN
AQkBFg1jYUBzYW1wbGUuY29tMRMwEQYDVQQHEwpNZXRyb3BvbGlzMREwDwYDVQQI
EwhOZXcgWW9yazELMAkGA1UEBhMCVVMxFDASBgNVBAMTC1RTQyBSb290IENBMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaiAwfKB6ZBtnTRTIo6ddomt0S9ec0
NcuvtJogt0s9dXpHowh98FCDjnLtCi8du6LDTZluhlOtTFARPlV/LVnpsbyMCXMs
G2qpdjJop+XIBdvoCz2HpGXjUmym8WLqt+coWwJqUSwiEba74JG93v7TU+Xcvc00
5MWnxmKZzD/R3QIDAQABo4H8MIH5MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFG/v
yytrBtEquMX2dreysix/MlPMMIHJBgNVHSMEgcEwgb6AFG/vyytrBtEquMX2drey
six/MlPMoYGipIGfMIGcMRswGQYDVQQKExJUaGUgU2FtcGxlIENvbXBhbnkxFDAS
BgNVBAsTC0NBIERpdmlzaW9uMRwwGgYJKoZIhvcNAQkBFg1jYUBzYW1wbGUuY29t
MRMwEQYDVQQHEwpNZXRyb3BvbGlzMREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
BhMCVVMxFDASBgNVBAMTC1RTQyBSb290IENBggEAMA0GCSqGSIb3DQEBBAUAA4GB
ABclymJfsPOUazNQO8aIaxwVbXWS+8AFEkMMRx6O68ICAMubQBvs8Buz3ALXhqYe
FS5G13pW2ZnAlSdTkSTKkE5wGZ1RYSfyiEKXb+uOKhDN9LnajDzaMPkNDU2NDXDz
SqHk9ZiE1boQaMzjNLu+KabTLpmL9uXvFA/i+gdenFHv
-----END CERTIFICATE-----
</pre>
<p>We can query the contents of this certificate with openssl to learn to whom belongs, what it is valid for, etc.: </p>
<pre>
openssl x509 -in cacert.pem -noout -text
openssl x509 -in cacert.pem -noout -dates
openssl x509 -in cacert.pem -noout -purpose
</pre>
</blockquote>
<b>Creating a Certificate Signing Request (CSR)</b>
<blockquote>
<p>Now that we have a root certificate, we can create any number of certificates for installation into our SSL applications such as HTTPS, SPOP, or SIMAP. The procedure involves creating a private key and certificate request, and then signing the request to generate the certificate. </p>
<p>Our configuration file needs some more definitions for creating non-CA certificates. Add the following at the end of the file: </p>
<pre>
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
</pre>
<p>To avoid having to repeatedly put this on the command line, insert the following line to the req section after the distinguished_name line as shown: </p>
<pre>
distinguished_name = req_distinguished_name
req_extensions = v3_req
</pre>
<p>Now we are ready to create our first certificate request. In this example, we are going to create a certificate for a secure POP server at <tt>mail.sample.com</tt>. Everything looks the same as when we created the CA certificate, but three of the ensuing prompts get different responses. </p>
<pre>
Organizational Unit: a reminder of what the certificate is for
Email Address: the postmaster
Common Name: the server hostname
</pre>
<p>The Common Name must be (or the IP address must resolve to) the server name your clients use to contact your host. If this does not match, every time they connect your clients will get a message asking them if they want to use this server. In effect, the client software is saying:</p>
<blockquote>
"Warning! You asked for mail.sample.com; the responding machine's certificate is for smtp.sample.com. Are you sure you want to continue?"
</blockquote>
<pre>
openssl req -new -nodes -out req.pem -config ./openssl.cnf
Organizational Unit Name (department, division) :Mail Server Email Address :postmaster@sample.com
Common Name (hostname, IP, or your name) :mail.sample.com
</pre>
<p>This process produces two files as output: </p>
<ul>
<li>A private key in <tt>key.pem</tt> </li>
<li>A certificate signing request in <tt>req.pem</tt> </li>
</ul>
<p>These files should be kept. When the certificate you are about to create expires, the request can be used again to create a new certificate with a new expiry date. The private key is of course necessary for SSL encryption. When you save these files, meaningful names will help; for example, <tt>mailserver.key.pem</tt> and <tt>mailserver.req.pem.</tt>.</p>
<p>The certificate signing request looks like this: </p>
<pre>
-----BEGIN CERTIFICATE REQUEST-----
MIICJDCCAY0CAQAwgagxGzAZBgNVBAoTElRoZSBTYW1wbGUgQ29tcGFueTEUMBIG
A1UECxMLTWFpbCBTZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFXBvc3RtYXN0ZXJAc2Ft
cGxlLmNvbTETMBEGA1UEBxMKTWV0cm9wb2xpczERMA8GA1UECBMITmV3IFlvcmsx
CzAJBgNVBAYTAlVTMRgwFgYDVQQDEw9tYWlsLnNhbXBsZS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPJhc++WxcBaoDbJpzFbDg42NcOz/ELVFMU4FlPa
yUzUO+xXkdFRMPKo54d4Pf1w575Jhlu9lE+kJ8QN2st6JFySbc9QjPwVwl9D2+I3
SSf2kVTu+2Ur5izCPbVAfU0rPZxxK8ELoOkA1uwwjFz6EFuVvnHwlguonWKDtmYW
u7KTAgMBAAGgOzA5BgkqhkiG9w0BCQ4xLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FLWaQsUVIQzWr58HtDinH1JfeCheMA0GCSqGSIb3DQEBBAUAA4GBAAbe0jrGEQ3i
tyVfy5Lg4/f69rKvDGs+uhZJ9ZRx7Dl92Qq2osE7XrLB1bANmcoEv/ORLZOjWZEY
NjMvuz60O7R8GKBrvb/YhAwWhIIt2LJqPkpAEWS0kY0AkoQcfZ7h6oC35+eJ7okg
Uu3WuE57RgcNt7/ftr0sG1jUyRwMLvhv
-----END CERTIFICATE REQUEST-----
</pre>
<p>We can view the contents to make sure our request is correct: </p>
<pre>
openssl req -in req.pem -text -verify -noout
</pre>
</blockquote>
<b>Signing a Certificate</b>
<blockquote>
<p>Now we need to add the configuration file section that deals with being a Certificate Authority. This section will identify the paths to the various pieces, such as the database, the CA certificate, and the private key. It also provides some basic default values. Insert the following into <tt>openssl.cnf</tt> just before the req section: </p>
<pre>
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
</pre>
<p>To sign the request we made in the previous step, execute the following and respond to the prompts. Note that you are asked for the PEM passphrase selected earlier: </p>
<pre>
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
Using configuration from ./openssl.cnf
Enter PEM pass phrase:demo
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
organizationName :PRINTABLE:'The Sample Company'
organizationalUnitName:PRINTABLE:'Mail Server'
emailAddress :IA5STRING:'postmaster@sample.com'
localityName :PRINTABLE:'Metropolis'
stateOrProvinceName :PRINTABLE:'New York'
countryName :PRINTABLE:'US'
commonName :PRINTABLE:'mail.sample.com'
Certificate is to be certified until Dec 8 04:37:38 2002 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
</pre>
<p>This process updates the CA database, and produces two files as output:</p>
<ul>
<li>A certificate in <tt>cert.pem</tt></li>
<li>A copy of the certificate in <tt>newcerts/.pem </tt></li>
</ul>
<p>Again, you can inspect the certificate: </p>
<pre>
openssl x509 -in cert.pem -noout -text -purpose | more
</pre>
<p>The certificate has both the encoded version and a human-readable version in the same file. You can strip off the human-readable portion as follows: </p>
<pre>
mv cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
</pre>
</blockquote>
<b>Installing the Certificate and Key</b>
<blockquote>
<p>This depends on the application. Some want the key and the certificate in the same file, and others want them separately. Combining them is easily done with: </p>
<pre>
cat key.pem cert.pem &gt;key-cert.pem
</pre>
<p>After this step, you have three installable components to choose from: </p>
<ul>
<li>A private key in <tt>key.pem</tt>.</li>
<li>A certificate in <tt>cert.pem</tt>.</li>
<li>A combined private key and certificate in <tt>key-cert.pem </tt>.</li>
<p>Copy the appropriate files into the locations specified by the instructions for your application and system. Restart the applications, and you are in operation with your new certificate. </p>
<b>Apache </b>
<blockquote>
<p>Apache has separate configuration directives for the key and the certificate, so we keep each in its own file. These files should be kept outside of the DocumentRoot subtree, so a reasonable directory structure might be: </p>
<pre>
File Comment
/home/httpd/html Apache DocumentRoot
/home/httpd/ssl SSL-related files
/home/httpd/ssl/cert.pem Site certificate
/home/httpd/ssl/key.pem Site private key
</pre>
<p>Within the directive for the site (which of course should be on port 443), include the directives that point to these files: </p>
<pre>
ServerName mail.sample.com
DocumentRoot /home/httpd/html
... other directives for this site ...
SSLEngine on
SSLLog /var/log/ssl_engine_log
SSLCertificateFile /home/httpd/ssl/cert.pem
SSLCertificateKeyFile /home/httpd/ssl/key.pem
</pre>
</blockquote>
<b>Stunnel </b>
<blockquote>
<p><tt>stunnel</tt> is used as an SSL wrapper for normal non-secure services such as IMAP and POP. It accepts as arguments (among other things) the service to execute, and the location of the certificate and private key.</p>
<p>The key and the certificate are provided in the same file. These can go anywhere, but a good location might be <tt>/etc/ssl/certs</tt>. Specify it on the stunnel command line as follows:
<pre>
stunnel -p /etc/ssl/certs/key-cert.pem
</pre>
</blockquote>
</blockquote>
<b>Distributing the CA Certificate</b>
<blockquote>
<p>This, finally, is the step that stops the clients from complaining about untrusted certificates. Send <tt>cacert.pem</tt> to anyone who is going to use your secure servers, so they can install it in their browsers, mail clients, et cetera as a root certificate. </p>
</blockquote>
<b>Renewing Certificates</b>
<blockquote>
<p>Your certificate chain can break due to certificate expiry in two ways: </p>
<ul>
<li>The certificates you signed with your root certificate have expired. </li>
<li>Your root certificate itself has expired. </li>
</ul>
<p>In the second case, you have some work to do. A new root CA certificate must be created and distributed, and then your existing certificates must be recreated or re-signed. </p>
<p>In the first case, you have two options. You can either generate new certificate signing requests and sign them as described above, or (if you kept them) you can re-sign the original requests. In either case, the old certificates must be revoked, and then the new certificates signed and installed into your secure applications as described earlier. </p>
<p>You cannot issue two certificates with the same Common Name, which is why the expired certificates must be revoked. The certificate is in the newcerts directory; you can determine its filename by browsing <tt>index.txt</tt> and searching for the Common Name (CN) on it. The filename is the index plus the extension ".pem", for example "02.pem". To revoke a certificate: </p>
<pre>
openssl ca -revoke newcerts/02.pem -config ./openssl.cnf
Using configuration from ./openssl.cnf
Enter PEM pass phrase: demo
Revoking Certificate 02.
Data Base Updated
</pre>
<p>Now that the certificate has been revoked, you can re-sign the original request, or create and sign a new one as described above. </p>
</blockquote>
<b>Getting a Commercially Signed Certificate</b>
<blockquote>
<p>The process is basically the same as the one just demonstrated, but the CA does most of it. You need to generate a Certificate Signing Request as shown above, and then submit it for signing. You will receive a signed certificate for installation. </p>
<p>This certificate will automatically be trusted by your client's browser, as the browser has the commercial CA's certificate built in. There is no need to distribute anything. </p>
<p>The configuration described here may be inadequate for this purpose, as there is much more that can go into a request. Different certificate authorities require different features in the certificate signing request, none of which we have gone into here. This additional material is beyond the current scope of this document. </p>
</blockquote>
<b>Publishing Your CA Certificate</b>
<blockquote>
<p>You can post the certificate on your web site for download. If you do this, you should also post a Certificate Revocation List (CRL), and a means of displaying a certificate given its serial number. This is outside the current scope of this document. </p>
<p>Apache will serve your certificate in a form recognizable to browsers if you specify its MIME type. For example, you can use the filename extension ".crt" for downloadable certificates, and put the following into the general section of your Apache configuration: </p>
<pre>
AddType application/x-x509-ca-cert .crt
</pre>
<p>Now you can post the certificate for download with a link like
<a href="http://www.example.com/ourrootcert.crt" rel="nofollow">Our Root Certificate</a> </p>
<p>and when the link is followed the visitor's browser would offer to install the certificate. </p>
<p>The CRL can be created as follows: </p>
<pre>
openssl ca -gencrl -crldays 31 -config ./openssl.cnf -out rootca.crl
</pre>
</blockquote>
<b>Summary</b>
<blockquote>
<p>You now have enough information to create and sign certificates on your own behalf. While this is a fairly long document, the procedure can be summarized easily. </p>
<b>One-Time Setup</b>
<p>Set up, and create a root CA certificate. Commands:</p>
<pre>
# mkdir CA
# cd CA
# mkdir newcerts private
# echo '01' >serial
# touch index.txt
# (IMPORTANT: Install and edit the configuration file shown below.)
# openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \
-out cacert.pem -days 365 -config ./openssl.cnf
</pre>
<p>Output :</p>
<ul>
<li><tt>cacert.pem</tt> - CA certificate </li>
<li><tt>private/cakey.pem</tt> - CA private key </li>
</ul>
<p>Distribute cacert.pem to your clients. </p>
<b>Per Certificate</b>
<p>Create certificate signing requests and sign them, supplying appropriate values for the Common Name and the Organizational Unit. </p>
<p>Commands :</p>
<pre>
openssl req -new -nodes -out req.pem -config ./openssl.cnf
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
cat key.pem cert.pem &gt;key-cert.pem
</pre>
<p>Output :</p>
<ul>
<li><tt>key.pem</tt> - Private key </li>
<li><tt>req.pem</tt> - Certificate signing request </li>
<li><tt>cert.pem</tt> - Certificate </li>
<li><tt>key-cert.pem</tt> - Combined private key and certificate </li>
</ul>
<p>Install <tt>key.pem</tt> and <tt>cert.pem</tt>, or just <tt>key-cert.pem</tt> as appropriate for your server application.</p>
<b>Per Certificate - Renewal</b>
<p>Revoke the expired certificate, and re-sign the original request.
<p>Commands :</p>
<pre>
openssl ca -revoke newcerts/.pem -config ./openssl.cnf
openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
</pre>
<p>Install the renewed certificates in the same manner as the original ones. </p>
<p>Configuration File </p>
<pre>
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = The Sample Company
localityName_default = Metropolis
stateOrProvinceName_default = New York
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
</pre>
</blockquote>
<h3>Updated: 9th November 2005</h3>
<blockquote>
<p>It has been brought to my attention that this article has been plagiarized by the poster who claimed it as his own work. That poster has now has his accoutn suspended.</p>
<p>The original author of the article, Marcus Redivo, has kindly allowed the text to remain on this site. The original article as written by Marcus can be found upon his website here:</p>
<ul>
<li><a href="http://www.eclectica.ca/howto/ssl-cert-howto.php">http://www.eclectica.ca/howto/ssl-cert-howto.php</a></li>
</ul>
</blockquote>
<div style="text-align: right;">
</div>
<div class="navigation">
<div class="row">
<span class="left">
<a href="/comment/onarticle/284">Add Comment</a>
<a href="/comment/feed/onarticle/284"><img src="/images/xml.gif" title="Subscribe to comments on this article." alt="XML logo" width="36" height="14"></a></span>
<span class="right">
<a href="/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian/print">Printable version</a>
</span>
<div class="spacer"> </div>
</div>
<p>&nbsp;</p>
<div class="row">
<span class="left">
<a href="/article/283/Denying_access_to_your_web_server_by_IP_address">&lt;&lt;&lt; Denying access to your web server by IP address</a>
</span>
<span class="right">
<a href="/article/285/WebDAV_on_Apache2">WebDAV on Apache2 &gt;&gt;&gt;</a>
</span>
<div class="spacer"> </div>
</div>
</div>
</div>
<p>&nbsp;</p>
<div class="share"></div>
<p>&nbsp;</p>
<p></p>
<div class="advert">
<center>
<script type="text/javascript"><!--
google_ad_client = "pub-1910202134166551";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel ="4454478967";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</center>
<p style="text-align: right;"><a href="/about/FAQ%20:%20Site%20Adverts">Why are these adverts here?</a></p>
</div>
<hr />
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_1">#</a>
</div>
<div class="title"><a name="comment_1">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/simonw">simonw</a> (84.45.xx.xx) on Thu 3 Nov 2005 at 16:06 <br />
[ <a href="/create/message/simonw">Send Message</a> | <a href="/users/simonw/weblog">View Weblogs</a> ]</div>
<div class="body">
&gt; Note: If you are in the business of running a commercial secure site, obtaining a commercially signed certificate is the only realistic choice. <br /><br /> Depends entirely on the sophistication of your userbase. <br /><br /> Paul Vixie ignored this advice when involved with setting up mail-abuse.org, because all the major commercial certificate vendors were also involved in the spam business, the others authorities expect you to be a bank, or have other weird qualifying criteria. <br /><br /> Guess a case of being wary who you do business with. <br /><br /> Thanks for the article, I&#39;ve used similar articles in the past, and hope the Debian specific one will save me some more time next time I need a self signed certificate.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/1">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_2">#</a>
</div>
<div class="title"><a name="comment_2">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (128.250.xx.xx) on Fri 4 Nov 2005 at 01:07 <br />
</div>
<div class="body">
Wonderful article... I&#39;ve been through a world of pain trying to do this a couple of times and then once I finally thought I&#39;d got it right I realised that the damned certificate didn&#39;t have a serial so renewing it was almost impossible with some brain dead browsers. <br /><br /> Definitely an article that I&#39;ll keep in a safe place until I next have to do this (about once every 2 or 3 years... just enough time to forget all the mistakes you made last time!) <br /><br /> thanks!!!
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/2">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_3">#</a>
</div>
<div class="title"><a name="comment_3">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/dkg">dkg</a> (216.254.xx.xx) on Fri 4 Nov 2005 at 04:20 <br />
[ <a href="/create/message/dkg">Send Message</a> | <a href="/users/dkg/scratchpad">View dkg's Scratchpad</a> | <a href="/users/dkg/weblog">View Weblogs</a> ]</div>
<div class="body">
Awesome article. Thanks for collecting all these pieces in a single place. <p> I&#39;ve found that <a href="http://tinyca.sm-zone.net/" rel="nofollow">tinyca</a> (<a href="http://packages.qa.debian.org/t/tinyca.html" rel="nofollow">debian package info</a>) is a decent tool for prompting you for most of the relevant pieces of information you might need, especially if signing cert requests is something you do infrequently enough that you forget the exact details. A good secure configuration is to run tinyCA on a dedicated old machine which never connects to the net. You can then import the certificate requests with a USB key or floppy disk, sign them on the isolated machine, and return the new certs via the same removable medium. <p> To future-proof your article: you might want to consider increasing the default bit length of your keypair in <tt>openssl.cnf</tt>, assuming your TLS-enabled server is running reasonable hardware. <a href="http://openssh.com/" rel="nofollow">openssh</a> (which uses different PKI infrastructure, but similar math) <a href="http://marc.theaimsgroup.com/?l=openssh-unix-dev&amp;m=112558674928977&amp;w=2" rel="nofollow">just increased default key length</a> to 2048 with version 4.2. <p> The one final missing piece would be to write up something comparably detailed about Certificate Revocation and how to manage, create, and distribute Certificate Revocation Lists using debian tools. if i get a chance, i&#39;ll try to write up something on that for this site.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/3">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_4">#</a>
</div>
<div class="title"><a name="comment_4">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (217.11.xx.xx) on Fri 4 Nov 2005 at 12:20 <br />
</div>
<div class="body">
Fantastic article. Thanks!
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/4">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_5">#</a>
</div>
<div class="title"><a name="comment_5">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Arto">Arto</a> (213.250.xx.xx) on Fri 4 Nov 2005 at 16:51 <br />
[ <a href="/create/message/Arto">Send Message</a> ]</div>
<div class="body">
<p>Thanks for article, that came in handy as I&#39;m just finishing setting up a new Debian server and will need to create the SSL certificates next.<p>It&#39;s amazing, though, how difficult providing an encrypted data channel has been made; no doubt the problem lies in the fact that certificates try to go beyond just encryption, and provide some unrealistic measure of &quot;trust&quot; as well. Well, it&#39;s a good business to some, that&#39;s for sure.<p>It&#39;s been a while since I played around with these things, so just one question:<blockquote>The Common Name must be (or the IP address must resolve to) the server name your clients use to contact your host. If this does not match, every time they connect your clients will get a message asking them if they want to use this server.</blockquote><p>Does this mean that if I create a CSR bound to an IP address instead of a host name, the clients won&#39;t get any complaints regardless of the host name (smtp.sample.com, mail.sample.com, or so forth) they use to access the server, as long as the host names resolve to the same IP?
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/5">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_19">#</a>
</div>
<div class="title"><a name="comment_19">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (66.43.xx.xx) on Mon 12 Jun 2006 at 13:52 <br />
</div>
<div class="body">
I have come across cases where the CSR was bound to an IP instead of the host name and I did get a complaint.<br />
</div>
<p class="foot">
[
<a href="#comment_5">Parent</a>
| <a href="/comment/onarticle/284/19">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_6">#</a>
</div>
<div class="title"><a name="comment_6">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (213.219.xx.xx) on Sat 5 Nov 2005 at 18:13 <br />
</div>
<div class="body">
I created a certificate for my server using <a href="http://www.cacert.org/" rel="nofollow">www.cacert.org</a>. It is not accepted by default in browser as a valid authority but it may be sometime.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/6">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_7">#</a>
</div>
<div class="title"><a name="comment_7">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (195.14.xx.xx) on Tue 8 Nov 2005 at 13:28 <br />
</div>
<div class="body">
check the ports.conf file did you changed the port number or not
</div>
<p class="foot">
[
<a href="#comment_6">Parent</a>
| <a href="/comment/onarticle/284/7">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_8">#</a>
</div>
<div class="title"><a name="comment_8">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/timt">timt</a> (217.13.xx.xx) on Wed 9 Nov 2005 at 00:29 <br />
[ <a href="/create/message/timt">Send Message</a> ]</div>
<div class="body">
Good article, very useful. But I feel I have read it before <a href="http://www.eclectica.ca/howto/ssl-cert-howto.php" rel="nofollow">somewhere</a>.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/8">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_9">#</a>
</div>
<div class="title"><a name="comment_9">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Steve">Steve</a> (82.41.xx.xx) on Wed 9 Nov 2005 at 05:18 <br />
[ <a href="/create/message/Steve">Send Message</a> | <a href="/users/Steve/scratchpad">View Steve's Scratchpad</a> | <a href="/users/Steve/weblog">View Weblogs</a> ]</div>
<div class="body">
<p>I had no idea it was copied. I trust that people will play fair and not claim credit they do not deserve.<p>Marcus got in touch with me to confirm this was a copy of his work. He has graciously allowed it to remain here - and I&#39;ve banned the original &quot;author&quot;.<p>Right about now I have very little faith in peoples honesty.<p><a href="http://www.steve.org.uk/">Steve</a><br /> --
</div>
<p class="foot">
[
<a href="#comment_8">Parent</a>
| <a href="/comment/onarticle/284/9">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_11">#</a>
</div>
<div class="title"><a name="comment_11">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Marcus_Redivo">Marcus_Redivo</a> (139.142.xx.xx) on Wed 9 Nov 2005 at 19:20 <br />
[ <a href="/create/message/Marcus_Redivo">Send Message</a> ]</div>
<div class="body">
<p>Steve wrote:<blockquote> &gt; Right about now I have very little faith in peoples honesty. </blockquote><p>And right about now, I do.<p>I sent a note to the site Webmaster (Steve) when I became aware that my document had been posted by someone under their own name.<p>Steve went way beyond the call of duty in responding and doing the right thing. By the time I finished reading my email, I already had a note from Steve in my inbox, and the offending account had been suspended. I indicated in my response that Steve was welcome to keep the content up; after all, it was written to be read.<p>Many thanks, Steve, for making this right. You are the kind of person that makes the Internet a nice place, and I&#39;m sure you also do this in person in your community.<p>Best regards,<br /> Marcus
</div>
<p class="foot">
[
<a href="#comment_9">Parent</a>
| <a href="/comment/onarticle/284/11">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_12">#</a>
</div>
<div class="title"><a name="comment_12">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (62.89.xx.xx) on Thu 10 Nov 2005 at 14:06 <br />
</div>
<div class="body">
Nice article to explain the basics.<br /><br /> I like to point out toOpenCA[1], a project with the aim to manage such an PKI.<br /><br /> [1] <a href="http://openca.sourceforge.net/" rel="nofollow"><a href="http://openca.sourceforge.net/" rel="nofollow">http://openca.sourceforge.net/</a></a><br /><br /><a href="http://www.codixx.de/polarizer.html" rel="nofollow">polarizers 2cent</a>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/12">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_14">#</a>
</div>
<div class="title"><a name="comment_14">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (206.66.xx.xx) on Thu 10 Nov 2005 at 18:34 <br />
</div>
<div class="body">
Good article indeed. A commandline alternative to OpenCA is called easy-rsa, which ships with Openvpn[1]. This series of scripts lets you easily create and manage one or more CAs. <p> [1] <a href="http://www.openvpn.net" rel="nofollow"><a href="http://www.openvpn.net/" rel="nofollow">http://www.openvpn.net</a></a>
</div>
<p class="foot">
[
<a href="#comment_12">Parent</a>
| <a href="/comment/onarticle/284/14">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_13">#</a>
</div>
<div class="title"><a name="comment_13">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (198.134.xx.xx) on Thu 10 Nov 2005 at 16:26 <br />
</div>
<div class="body">
<div class="hft-lines">I would point out the difference between a self-signed certificate (in which there is NOT a certificate authority) and self-signing your certificates using a private certificate authority. The distinction is an important one but too often overlooked when people talk/write about certificates. <br /><br /> Self-signed certificates DO NOT scale. Self-signing scales reasonably well, if you take measures to distribute your CA public key.<br /></div>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/13">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_20">#</a>
</div>
<div class="title"><a name="comment_20">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (66.43.xx.xx) on Mon 12 Jun 2006 at 14:04 <br />
</div>
<div class="body">
<div class="hft-lines">I was wondering what size installations people have been able to administer using this technique (or a similar one). I&#39;m trying to convince the management that being our own CA is a good idea and that we can make this scale to our purposes (less than 1000 users, half of which are our clients, not employees). Any use cases or scenarios would be very helpful. <br /><br /> Thanks, <br /> Andrew<br /></div>
</div>
<p class="foot">
[
<a href="#comment_13">Parent</a>
| <a href="/comment/onarticle/284/20">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_15">#</a>
</div>
<div class="title"><a name="comment_15">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (61.9.xx.xx) on Fri 18 Nov 2005 at 04:40 <br />
</div>
<div class="body">
<div class="hft-lines">hi, <br /><br /> Thank you for your article, without it, I would never have had a hope of getting as far as I did. <br /><br /> I had already tried to issue certs before, but they were not working properly - they were under &#39;/etc/ssl/certs&#39; and &#39; /etc/ssl/private&#39; - following your tutoria, the new ones were generated under &#39;/etc/ssl/CA&#39; and &#39;/etc/ssl/CA/private&#39;.. <br /><br /> Q1: Can I simply copy the/your new certs over the old ones? <br /><br /><br /> Q2: I am not sure where the Apache2 refereces are to the certs - can you tell me? <br /><br /> Apache <br /><br /> File Comment <br /> /home/httpd/html Apache DocumentRoot <br /> /home/httpd/ssl SSL-related files <br /> /home/httpd/ssl/cert.pem Site certificate <br /> /home/httpd/ssl/key.pem Site private key <br /><br /> ........................ <br /> Never-the-less - thank you very much. <br /><br /> Danny Regan <br /></div>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/15">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_16">#</a>
</div>
<div class="title"><a name="comment_16">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/dregan">dregan</a> (61.9.xx.xx) on Fri 18 Nov 2005 at 05:14 <br />
[ <a href="/create/message/dregan">Send Message</a> ]</div>
<div class="body">
<div class="hft-lines">hi, <br /><br /> Thank you for your article, without it, I would never have had a hope of getting as far as I did. <br /><br /> I had already tried to issue certs before, but they were not working properly - they were under &#39;/etc/ssl/certs&#39; and &#39; /etc/ssl/private&#39; - following your tutoria, the new ones were generated under &#39;/etc/ssl/CA&#39; and &#39;/etc/ssl/CA/private&#39;.. <br /><br /> Q1: Can I simply copy the/your new certs over the old ones? <br /><br /><br /> Q2: I am not sure where the Apache2 refereces are to the certs - can you tell me? <br /><br /> Apache <br /><br /> File Comment <br /> /home/httpd/html Apache DocumentRoot <br /> /home/httpd/ssl SSL-related files <br /> /home/httpd/ssl/cert.pem Site certificate <br /> /home/httpd/ssl/key.pem Site private key <br /><br /> ........................ <br /> Never-the-less - thank you very much. <br /><br /> Danny Regan <br /></div>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/16">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_17">#</a>
</div>
<div class="title"><a name="comment_17">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/dregan">dregan</a> (61.9.xx.xx) on Fri 18 Nov 2005 at 05:19 <br />
[ <a href="/create/message/dregan">Send Message</a> ]</div>
<div class="body">
<div class="hft-lines">Thank you for your article. <br /><br /> I apt-get install stunnel with out problems but when I run the command; <br /><br /> stunnel -p /etc/ssl/certs/key-cert.pem <br /><br /> I get; <br /> ns1:/etc/ssl/certs# stunnel -p /etc/ssl/certs/key-cert.pem <br /> 2005.11.18 16:17:30 LOG3[9812:16384]: Either -r, -l (or -L) option must be used <br /><br /> Try &#39;stunnel -h&#39; for more information. <br /><br /> ns1:/etc/ssl/certs# <br /> ................. <br /> stunnel -V shows the following <br /><br /> Compile time defaults: <br /> -v level no verify <br /> -a directory /etc/ssl/certs <br /> -A file (none) <br /> -S sources 3 <br /> -t timeout 300 seconds <br /> -B bytes 64 <br /> -D level 5 <br /> -P pid dir /var/run/stunnel/ <br /> -p pemfile in server mode: /etc/ssl/certs/stunnel.pem <br /> in client mode: none <br /><br /> Any Suggestions (please)? <br /><br /><br /><br /></div>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/17">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_18">#</a>
</div>
<div class="title"><a name="comment_18">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/krischeu">krischeu</a> (195.30.xx.xx) on Wed 30 Nov 2005 at 10:46 <br />
[ <a href="/create/message/krischeu">Send Message</a> ]</div>
<div class="body">
<div class="hft-lines">Very userful Howto, <br /><br /> first i run in some problems within using a fresh debian sarge 3.1 install. <br /> I was googling around, but thousands of people got the same error, but nowhere is a solution. I found little solutions - everywhere a little piece. <br /><br /> Errormessage is everytime: <br /> ------------------------- <br /> can&#39;t find openssl.cnf <br /> unable to find &#39;distinguished_name&#39; in config <br /> Unable to load config info <br /> unable to load CA private key sign <br /><br /> This solve my problems by creating and signing the certificates: <br /> ---------------------------------------------------------------- <br /><br /> edit the /root/.bashrc <br /> PATH=/usr/lib/ssl/misc:/etc/ssl:$PATH <br /> export PATH <br /> OPENSSL_CONF=/etc/ssl/openssl.cnf <br /> export OPENSSL_CONF <br /> SSLEAY_CONF=/etc/ssl/openssl.cnf <br /> export SSLEAY_CONF <br /><br /> Do a link <br /> cd /usr/lib/ssl/misc <br /> ln -s /etc/ssl/openssl.cnf openssl.cnf <br /><br /> Copy the /etc/ssl/openssl.cnf to openssl.cnf and change the original against the one of the howto. <br /><br /> Edit it to your environment. <br /><br /> Rest is like the howto says. <br /><br /> Best regards, <br /><br /> heinz.krischeu@easi.de<br /></div>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/18">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_21">#</a>
</div>
<div class="title"><a name="comment_21">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (213.225.xx.xx) on Wed 9 May 2007 at 15:56 <br />
</div>
<div class="body">
Great article! <br /><br />Thanks a lot for writing it. <br /><br />-o
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/21">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_22">#</a>
</div>
<div class="title"><a name="comment_22">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (213.162.xx.xx) on Tue 31 Jul 2007 at 14:24 <br />
</div>
<div class="body">
Very useful article... but there is one small problem. <br /><br />It doesn&#39;t work. <br /><br />Using the openssl.cnf as supplied in the article and copying the commands exactly I get the error message: <br /><br />error, no objects specified in config file <br />problems making Certificate Request <br /><br />and cacert.pem is not generated. <br /><br />Googling the error message doesn&#39;t provide any useful results. And it&#39;s not a very helpful error message to someone who knows sod all about how this works which is why I am reading the article in the first place. <br /><br />This is using openssl 0.9.8c-4 in Debian. <br /><br />Any idea what&#39;s going on? <br />
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/22">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_24">#</a>
</div>
<div class="title"><a name="comment_24">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (75.18.xx.xx) on Tue 11 Dec 2007 at 05:06 <br />
</div>
<div class="body">
&quot;Using the openssl.cnf as supplied in the article and copying the commands exactly I get the error message: <br /><br />error, no objects specified in config file <br />problems making Certificate Request&quot; <br /><br />It sounds like you edited /etc/ssl/openssl.cnf instead of making a new openssl.cnf in the current directory. <br /><br />If you copied the commands exactly, then the mentioned command line parameter -config ./openssl.cnf is drastically different from -config /etc/openssl/openssl.cnf <br /><br />Hope this helps. <br /><br /><br />Great HOWTO! It&#39;s always nice to have the methods and underlying framework explained rather than just being given commands/parameters and being expected to copy/paste them blindly.
</div>
<p class="foot">
[
<a href="#comment_22">Parent</a>
| <a href="/comment/onarticle/284/24">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_23">#</a>
</div>
<div class="title"><a name="comment_23">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (200.123.xx.xx) on Tue 9 Oct 2007 at 15:01 <br />
</div>
<div class="body">
Thanks for this article. It has help me to configure mi box without SSL warnings. <br /><br />But, I&#39;ve a question. How can I use the cacert.pem with Outlook? When I try to import it, Outlook complains. It seems that expect another format. Do I have to convert it? How? <br />Thanks!
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/23">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_25">#</a>
</div>
<div class="title"><a name="comment_25">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/olberger">olberger</a> (157.159.xx.xx) on Thu 15 May 2008 at 12:49 <br />
[ <a href="/create/message/olberger">Send Message</a> ]</div>
<div class="body">
The article mentions : <br /> Note: a self-signed cert can be created with the simple command mod-ssl-makecert, part of the Debian package libapache-mod-ssl. <br /><br />FYI, there&#39;s a &#39;ssl-cert&#39; package which contains the &#39;make-ssl-cert&#39; command which can be used to do so. <br /><br />Hope this helps,
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/25">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_26">#</a>
</div>
<div class="title"><a name="comment_26">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (88.73.xx.xx) on Thu 9 Oct 2008 at 18:32 <br />
</div>
<div class="body">
Good article! This one is easy to understand, if u got some solid *nix knowledge. Anyway maybe in the near future we can build secure websites for ourselfs :) THX
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/26">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_27">#</a>
</div>
<div class="title"><a name="comment_27">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/mtmonacelli">mtmonacelli</a> (74.95.xx.xx) on Fri 26 Dec 2008 at 20:29 <br />
[ <a href="/create/message/mtmonacelli">Send Message</a> ]</div>
<div class="body">
I&#39;ve avoided SSL for lack of understanding...till now. Finally a well written step by step, easy to follow tutorial on how to use SSL! Thank you for helping break down the barrier to entry.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/27">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_29">#</a>
</div>
<div class="title"><a name="comment_29">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (190.169.xx.xx) on Tue 3 Mar 2009 at 21:25 <br />
</div>
<div class="body">
I can&#39;t find libapache-mod-ssl in Lenny, what command can I use now?
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/29">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_30">#</a>
</div>
<div class="title"><a name="comment_30">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (194.63.xx.xx) on Fri 20 Mar 2009 at 14:28 <br />
</div>
<div class="body">
<p>Hy, <p>i have the command available on a debian lenny. There is also the package ssl-cert installed!<p>i think the package containing &quot;make-ssl-cert&quot; is &quot;ssl-cert&quot;. Try to install that package with aptitude or apt.<p>hope that helps
</div>
<p class="foot">
[
<a href="#comment_29">Parent</a>
| <a href="/comment/onarticle/284/30">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_31">#</a>
</div>
<div class="title"><a name="comment_31">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (190.169.xx.xx) on Thu 5 Nov 2009 at 15:19 <br />
</div>
<div class="body">
In: <br /><br />$ openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem <br /><br />it is created for one year. You need to add -days if you want it to last for longer, say ten years: <br /><br />$ openssl ca -out cert.pem -days 3650 -config ./openssl.cnf -infiles req.pem
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/31">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<div class="indent">
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_32">#</a>
</div>
<div class="title"><a name="comment_32">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (24.69.xx.xx) on Thu 5 Nov 2009 at 17:47 <br />
</div>
<div class="body">
Of course, your certificate is only valid while your root certificate remains unexpired. In the example, the root certificate is created with a ten-year life-span, so there is no point in specifying &quot;-days&quot; for a period longer than the root certificate&#39;s remaining life.
</div>
<p class="foot">
[
<a href="#comment_31">Parent</a>
| <a href="/comment/onarticle/284/32">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
</div>
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_33">#</a>
</div>
<div class="title"><a name="comment_33">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (82.243.xx.xx) on Thu 12 Nov 2009 at 03:41 <br />
</div>
<div class="body">
Hi, <br /><br />thanks for this howto. <br /><br />I have a problem when I start the line openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf <br />it gives me this error : <br />Error loading extension section V3_ca <br /><br />Do you know what append? <br /><br />Thanks
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/33">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_34">#</a>
</div>
<div class="title"><a name="comment_34">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/nlindley">nlindley</a> (12.94.xx.xx) on Thu 18 Feb 2010 at 22:24 <br />
[ <a href="/create/message/nlindley">Send Message</a> ]</div>
<div class="body">
Some Mac applications use WebDAV, e.g. iCal, and require a basicConstraint of &quot;critical&quot; in the v3_ca section to use SSL. Here&#39;s how that section looks in my configuration: <br /><br />[ v3_ca ] <br />basicConstraints = critical,CA:TRUE <br />subjectKeyIdentifier = hash <br />authorityKeyIdentifier = keyid:always,issuer:always
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/34">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_35">#</a>
</div>
<div class="title"><a name="comment_35">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (193.110.xx.xx) on Tue 27 Apr 2010 at 08:35 <br />
</div>
<div class="body">
The one piece of information I&#39;d like to see still is how to distribute certificates in a Debian package. I would have thought there would be a written policy for this (this is Debian we are talking about after all :-) but so far, I have come up with nothing. It seems that openssl and ca-certificates put stuff in /etc/ssl and more specifically /etc/ssl/certs but is that sufficient for e.g. Firefox and Thunderbird to find the certificates, or is there something more I need to do?
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/35">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_37">#</a>
</div>
<div class="title"><a name="comment_37">Certificate Generator</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (83.227.xx.xx) on Wed 19 May 2010 at 08:34 <br />
</div>
<div class="body">
If you do development stuff that doesn&#39;t require too much security, you might want to try this <a href="http://www.selfsignedcertificate.com" rel="nofollow">online self-signed certificate generator</a>.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/37">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_38">#</a>
</div>
<div class="title"><a name="comment_38">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (213.177.xx.xx) on Thu 14 Oct 2010 at 16:23 <br />
</div>
<div class="body">
The default hash algorithm is now insecure. I&#39;ve had to redo all my certificates after I started to test SSL with cadaver, which reported &quot;Certificate verification error: signed using insecure algorithm&quot;. Hence please change: <br /><br /> default_md = md5 <br /><br />to <br /><br /> default_md = sha1 <br /><br />in openssl.cnf. Might help troubleshoot weird errors.
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/38">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_39">#</a>
</div>
<div class="title"><a name="comment_39">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (75.148.xx.xx) on Tue 21 Jun 2011 at 18:24 <br />
</div>
<div class="body">
To set up this trust, the clients must trust the root of the server&rsquo;s certificate. This means, clients have to possess the certificate of the certification authority that issued the server certificate in their Trusted Root Certification Authorities store. You can observe this store via the Certificates snap-in. The process is mandatory if you are using a certificate not issued by a third part vendor. Important To install the server root certificate, do the following on the client. To install the root Certificate on the client 1. Open the Certificates snap-in console. If you have not previously added in the Certificates snap-in console, you can achieve this by doing the following: &bull; Click Start, select Run, type mmc, and then tap OK. &bull; On the File menu, choose Add/Remove Snap-in. &bull; In the Add or Remove Snap-ins dialog box, in the Available snap-ins file, choose Certificates, and then click Add. &bull; In the Certificates snap-in dialog box, select Computer account, and at that time click Next. &bull; In the Select Computer dialog box, click Local computer: (the computer this console is running on), followed by selecting Finish. &bull; In the Add or Remove snap-ins dialog box, click OK. 2. In the Certificates snap-in console, in the console tree, double click to show more items on Certificates (Local Computer), repeat previous step with Trusted Root Certification Authorities, right-click Certificates, and focus on All Tasks, followed by selecting Import. 3. Once you get to the Welcome to the Certificate Import Wizard page, select Next. 4. On the File to Import page, in the File name box, indicate the title of the server root certificate, then select Next. 5. On the Password page, if you created a pass phrase for the private key linked with the certificate previously, enter the pass phrase. 6. On the Certificates Store page, allow the default selection (Place all certificates in the following store &ndash; Trusted Root Certification Authorities), followed by choosing Next. 7. On the Completing the Certificate Import Wizard page, verify that the certificate settings appear as followed: &bull; Certificate Store Selected by User: Trusted Root Certification Authorities &bull; Content: Certificate &bull; File Name: FilePath\, where is the name of the server root certificate. 8. Select Finish. 9. Once the certificate upload has successfully concluded, a confirmation message will show up proving the import was successful. Select OK. 10. With Certificates chosen in the console hierarchy, in the detail panel, confirm that the root certificate of the server has become visible in the file of certificates on the client. This process can be modified on client computers to use website certificates, remote desktop certificates, and Exchange certificates. Shawn Zernik <a href="href" rel="nofollow">www.internetworkconsulting.net</a>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/39">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_40">#</a>
</div>
<div class="title"><a name="comment_40">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (184.154.xx.xx) on Thu 30 Jun 2011 at 13:08 <br />
</div>
<div class="body">
Good article though I recommend not to use self signed SSL certificates as they may harm your online business reputation.Its better to get one from trusted SSL reseller. <a href="https://www.thesslstore.com" rel="nofollow">SSL Certificate</a>
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/40">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_41">#</a>
</div>
<div class="title"><a name="comment_41">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/richjoslin">richjoslin</a> (173.151.xx.xx) on Thu 12 Jan 2012 at 23:39 <br />
[ <a href="/create/message/richjoslin">Send Message</a> ]</div>
<div class="body">
Maybe I overlooked it, and maybe this was just my experience, but I used different org names and got an error. <br /><br />If I create a CA cert with one org name and then create a CSR with different org name, I get this at the end of the output when I try to sign the certificate: <br /><br />&quot;The organizationName field needed to be the same in the CA certificate (Org A) and the request (Org B)&quot; <br /><br />And it isn&#39;t perfectly clear that it was an error, but there is no cert in newcerts, so that&#39;s my clue that it didn&#39;t work. My solution was to recreate the CSR with a matching org name. <br /><br />I think it would be better if I could use different org names for different certs. Or does that defeat the &quot;self-signing&quot; terminology?
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/41">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Indent comments.
See matching loop to correctly terminate the comment indentation.
-->
<!-- Comment entry -->
<div class="comment">
<div class="link">
<a href="/articles/284#comment_42">#</a>
</div>
<div class="title"><a name="comment_42">Re: Creating and Using a self signed SSL Certificates in debian</a>
</div>
<div class="tagline">
Posted by <a href="/users/Anonymous">Anonymous</a> (63.194.xx.xx) on Thu 20 Sep 2012 at 15:53 <br />
</div>
<div class="body">
In Debian Lenny, the only real &quot;gotcha&quot; that slowed me up (with a really weird browser Error code: ssl_error_rx_record_too_long) was having to add the default-ssl (where SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile are updated with the cerificate locations) <br /><br />from <br />/etc/apache2/sites-available/default-ssl <br />to <br />/etc/apache2/sites-enabled/ <br /><br />The self signed SSL Certificates work but, since the constant browser warnings are a hassle, I decided to use a &quot;cheap&quot; (~$12/year) goDaddy.com SSL Certificate. <br /><br />Thanks for the article! <br />
</div>
<p class="foot">
[
Parent
| <a href="/comment/onarticle/284/42">Reply to this comment</a>
]
</p>
</div>
<!-- Terminate the indentation of the comments. -->
<p></p>
<!-- Closing tag for if_error -->
</div>
</div>
</div>
<div id="rightcol" class="side">
<div class="slide">
<h4>Sign In</h4>
<form id="user-login" action="/" method="post">
<input type="hidden" name="target" value="/articles/284" />
<p><b>Username</b>:<br/> <input id="name" name="lname" type="text" size="14" maxlength="25" /></p>
<p><b>Password</b>:<br /> <input id="pass" name="lpass" type="password" size="15" maxlength="25" /></p>
<p><input type="submit" name="login" value="Login" /> </p>
<p>[<a href="/create/user/">Register</a>|<a href="/login">Advanced</a>]</p>
</form>
<p>&nbsp;</p>
<div id="flattr">
<h3>Flattr</h3>
<div style="text-align:center;"><a class="FlattrButton" style="display:none;" href="http://debian-administration.org"></a></div>
</div>
<p>&nbsp;</p>
<div id="poll">
<h3>Current Poll</h3>
<form method="post" action="/polls/163">
<p><input type="hidden" name="poll_id" value="163" /><b>Which init system are you using in Debian?</b></p><p>
<label><input type="radio" name="pollanswer" value="1" />sysvinit (default)</label><br />
<label><input type="radio" name="pollanswer" value="2" />openRC</label><br />
<label><input type="radio" name="pollanswer" value="3" />systemd</label><br />
<label><input type="radio" name="pollanswer" value="4" />upstart</label><br />
<input type="submit" name="pollvote" value="Vote" /><br />
<span class="votescast">
( <a href="/polls/163">1143 votes ~ 7 comments</a> )</span></p>
</form>
</div>
<p>&nbsp;</p>
<div id="blogs">
<h3>Recent Weblogs</h3>
<div class="weblogs">
<div class="body">
<div class="title"><a href="/users/dkg/weblog/109">OTR key replacement (heartbleed)</a></div>
<div class="tagline">by <a href="/users/dkg">dkg</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/Steve/weblog/235">Easily sharing markdown text</a></div>
<div class="tagline">by <a href="/users/Steve">Steve</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/fugit/weblog/9">Problem with Bonding and Vlan on Wheezy</a></div>
<div class="tagline">by <a href="/users/fugit">fugit</a></div>
<div class="comments"> <a href="/users/fugit/weblog/9#comments">1 comment</a></div>
</div>
<div class="body">
<div class="title"><a href="/users/lee/weblog/49">Whitelisting hosts in Exim4 causing TLS errors</a></div>
<div class="tagline">by <a href="/users/lee">lee</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/ajt/weblog/210">Mosh</a></div>
<div class="tagline">by <a href="/users/ajt">ajt</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/blackm/weblog/17">I have a Debian server again</a></div>
<div class="tagline">by <a href="/users/blackm">blackm</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/simonw/weblog/489">Vodafone Sure Signal - flashing Internet light</a></div>
<div class="tagline">by <a href="/users/simonw">simonw</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/cisco/weblog/1">Hello World!</a></div>
<div class="tagline">by <a href="/users/cisco">cisco</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/tong/weblog/7">Planning for Disk Encryption</a></div>
<div class="tagline">by <a href="/users/tong">tong</a></div>
<div class="comments"> </div>
</div>
<div class="body">
<div class="title"><a href="/users/CrashBeta/weblog/1">Pronouce Debian</a></div>
<div class="tagline">by <a href="/users/CrashBeta">CrashBeta</a></div>
<div class="comments"> <a href="/users/CrashBeta/weblog/1#comments">8 comments</a></div>
</div>
</div>
<p><a href="http://planet.debian-administration.org" title="Planet Debian Administration" style="float:right;">Archived weblogs</a></p>
<p></p>
</div>
<p>&nbsp;</p>
<div class="advert">
<h3>Sponsored Links</h3>
<p></p>
<div align="center">
<script type="text/javascript"><!--
google_ad_client = "pub-1910202134166551";
//200x90, created 08/12/07
google_ad_slot = "2315151555";
google_ad_width = 200;
google_ad_height = 90;
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</div>
<p><a href="/about/FAQ%20:%20Site%20Adverts">Why are these adverts here?</a></p>
</div>
</div>
</div>
</div> <!-- end #content -->
</div> <!-- end #wrapper -->
<div id="footer">
<p>Articles and comments are the property of their respective posters.</p>
<p>Trademarks are the property of their respective owners.<br /> Debian is <a
href="http://tarr.uspto.gov/servlet/tarr?regser=serial&amp;entry=75386376&amp;action=Request+Status">a registered trademark</a> of <a href="http://www.spi-inc.org">Software in the Public Interest, Inc</a>.</p>
<p>This site is copyright &copy; 2004-2014 <a href="http://www.steve.org.uk/">Steve Kemp</a>.<br />Site hosting provided by <a href="http://www.bytemark.co.uk/">Bytemark Hosting</a> on the <a href="http://bigv.io/">BigV</a> platform.</p>
<p><a href="/about/Syndication">Article Feeds in Atom, RSS, &amp; RDF formats</a></p>
</div>
</body>
</html>