Re: [Openca-Users] How to run apache-ssl for openca?

[Nicolas M. <nic...@la...>]

On 02:00 Wed 26 Jul     , itboi wrote:
> 
> Hi.
> I installed openca success with http protocol, but when i access to ra,
> ldap, pub with
> http://192.168.0.1/cgi-bin/ra/RAServer?cmd=getStaticPage&name=index 
> it display "Error 6251026
> General Error Aborting connection - you are using a wrong security protocol
> (http)."
> and I can't run with https://192.168.0.1/ca/  also i configed my system
> flowing http://ist.uwaterloo.ca/security/lib-proxy/howto/ssleay/ docs
> 
> But in the doc i don't understand two  lines:
> 
> SSLCertificateFile /software/sslCerts-1/config/certs/httpsd.pem
> SSLCertificateKeyFile /software/sslCerts-1/config/certs/private/httpsd.pem
> 
> That /software/sslCerts-1/config/certs/httpsd.pem file and
> /software/sslCerts-1/config/certs/private/httpsd.pem  from where and how to
> create it? 
> For openca i can make and find it from where?
> 

You must generate these two files. Here is a howto :

$ cd /root
$ chmod 700 .
$ umask 077
$ mkdir mypki
$ cd mypki
$ mkdir certs
$ mkdir private
$ touch index.txt
$ echo '01' > serial
$ vi openssl.cnf 
$ export OPENSSL_CONF="openssl.cnf"
$ openssl req -newkey rsa -x509 -subj '/C=US/O=MyOrg/OU=MyUnit/CN=MyRootCA' -out cacert.pem
Generating a 2048 bit RSA private key
....................................................+++
.............................+++
writing new private key to './private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

$ export -n OPENSSL_CONF
$ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj '/C=US/O=MyOrg/OU=MyUnit/CN=localhost' -out server.req 
Generating a 1024 bit RSA private key
.......................................++++++
.............................++++++
writing new private key to 'server.key'
-----

$ export OPENSSL_CONF="openssl.cnf"
$ openssl ca -in server.req -out server.crt
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
organizationName      :PRINTABLE:'MyOrg'
organizationalUnitName:PRINTABLE:'MyUnit'
commonName            :PRINTABLE:'localhost'
Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

$ cat server.key
$ cat server.crt

Some explanations :
 - server.crt is the certificate for your web server
 - server.key is the private key for your web server (keep it secret !)
 - the content of openssl.cnf is given in the attached file

For more information :
 - man openssl

Regards,

Nicolas.