From owner-freebsd-questions@FreeBSD.ORG Tue Jan 31 17:23:08 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71A5F16A420 for ; Tue, 31 Jan 2006 17:23:08 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71EE943D45 for ; Tue, 31 Jan 2006 17:23:03 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D60CA5DB9; Tue, 31 Jan 2006 12:23:02 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11933-08; Tue, 31 Jan 2006 12:23:02 -0500 (EST) Received: from [199.103.21.238] (pan.codefab.com [199.103.21.238]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 044E35C1F; Tue, 31 Jan 2006 12:23:01 -0500 (EST) In-Reply-To: <43DF7CE2.2050408@t-hosting.hu> References: <43DF7CE2.2050408@t-hosting.hu> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> Content-Transfer-Encoding: quoted-printable From: Charles Swiger Date: Tue, 31 Jan 2006 12:23:00 -0500 To: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= X-Mailer: Apple Mail (2.746.2) X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions Subject: Re: Upgrading apache form 2.0.x to 2.2.x X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 17:23:08 -0000 On Jan 31, 2006, at 10:06 AM, K=F6vesd=E1n G=E1bor wrote: > I've upgradde today, but SSL doesn't work with the old settings. I =20 > suspect something's wrong with my self-signed certificates. If I =20 > set SSLEngine On globally, I get this: > > [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA =20 > certificate (BasicConstraints: CA certificate (BasicConstraints: CA =20= > =3D=3D TRUE !?) Yeah, the RSA cert you use for your CA to sign other certs should not =20= be used as a host cert for SSL. Generate a new RSA cert, generate a =20 CSR, and use the CA cert to sign your new RSA cert for the webserver: openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -=20= days 365 openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out =20 tmp.pem openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem # (newcert.pem contains signed certificate, newreq.pem still =20 contains # unsigned certificate and private key) --=20 -Chuck