Date: Tue, 31 Jan 2006 12:23:00 -0500 From: Charles Swiger <cswiger@mac.com> To: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Upgrading apache form 2.0.x to 2.2.x Message-ID: <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> In-Reply-To: <43DF7CE2.2050408@t-hosting.hu> References: <43DF7CE2.2050408@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 31, 2006, at 10:06 AM, K=F6vesd=E1n G=E1bor wrote:
> I've upgradde today, but SSL doesn't work with the old settings. I =20
> suspect something's wrong with my self-signed certificates. If I =20
> set SSLEngine On globally, I get this:
>
> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA =20
> certificate (BasicConstraints: CA certificate (BasicConstraints: CA =20=
> =3D=3D TRUE !?)
Yeah, the RSA cert you use for your CA to sign other certs should not =20=
be used as a host cert for SSL. Generate a new RSA cert, generate a =20
CSR, and use the CA cert to sign your new RSA cert for the webserver:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -=20=
days 365
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out =20
tmp.pem
openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
# (newcert.pem contains signed certificate, newreq.pem still =20
contains
# unsigned certificate and private key)
--=20
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C8140DB-6E12-4C35-97C1-62931D7A2BAD>