From: Nicolas M. <nic...@la...> - 2006-07-26 10:17:37
|
On 02:00 Wed 26 Jul , itboi wrote: > > Hi. > I installed openca success with http protocol, but when i access to ra, > ldap, pub with > http://192.168.0.1/cgi-bin/ra/RAServer?cmd=getStaticPage&name=index > it display "Error 6251026 > General Error Aborting connection - you are using a wrong security protocol > (http)." > and I can't run with https://192.168.0.1/ca/ also i configed my system > flowing http://ist.uwaterloo.ca/security/lib-proxy/howto/ssleay/ docs > > But in the doc i don't understand two lines: > > SSLCertificateFile /software/sslCerts-1/config/certs/httpsd.pem > SSLCertificateKeyFile /software/sslCerts-1/config/certs/private/httpsd.pem > > That /software/sslCerts-1/config/certs/httpsd.pem file and > /software/sslCerts-1/config/certs/private/httpsd.pem from where and how to > create it? > For openca i can make and find it from where? > You must generate these two files. Here is a howto : $ cd /root $ chmod 700 . $ umask 077 $ mkdir mypki $ cd mypki $ mkdir certs $ mkdir private $ touch index.txt $ echo '01' > serial $ vi openssl.cnf $ export OPENSSL_CONF="openssl.cnf" $ openssl req -newkey rsa -x509 -subj '/C=US/O=MyOrg/OU=MyUnit/CN=MyRootCA' -out cacert.pem Generating a 2048 bit RSA private key ....................................................+++ .............................+++ writing new private key to './private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- $ export -n OPENSSL_CONF $ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj '/C=US/O=MyOrg/OU=MyUnit/CN=localhost' -out server.req Generating a 1024 bit RSA private key .......................................++++++ .............................++++++ writing new private key to 'server.key' ----- $ export OPENSSL_CONF="openssl.cnf" $ openssl ca -in server.req -out server.crt Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :PRINTABLE:'MyOrg' organizationalUnitName:PRINTABLE:'MyUnit' commonName :PRINTABLE:'localhost' Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $ cat server.key $ cat server.crt Some explanations : - server.crt is the certificate for your web server - server.key is the private key for your web server (keep it secret !) - the content of openssl.cnf is given in the attached file For more information : - man openssl Regards, Nicolas. |