Date: Tue, 31 Jan 2006 19:08:26 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Upgrading apache form 2.0.x to 2.2.x Message-ID: <43DFA79A.4080707@t-hosting.hu> In-Reply-To: <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> References: <43DF7CE2.2050408@t-hosting.hu> <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Charles Swiger wrote: > On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote: > >> I've upgradde today, but SSL doesn't work with the old settings. I >> suspect something's wrong with my self-signed certificates. If I set >> SSLEngine On globally, I get this: >> >> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA >> certificate (BasicConstraints: CA certificate (BasicConstraints: CA >> == TRUE !?) > > > Yeah, the RSA cert you use for your CA to sign other certs should not > be used as a host cert for SSL. Generate a new RSA cert, generate a > CSR, and use the CA cert to sign your new RSA cert for the webserver: > > > openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem - > days 365 > openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out > tmp.pem > openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem > # (newcert.pem contains signed certificate, newreq.pem still > contains > # unsigned certificate and private key) > Thanks, I see the point, but I don't really experienced in generating certs. The lines you wrote lead me to the following: root@server# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 365 Generating a 1024 bit RSA private key .........++++++ ..........................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:Budapest Locality Name (eg, city) []:Budapest Organization Name (eg, company) [Internet Widgits Pty Ltd]:T-Hosting.Hu Organizational Unit Name (eg, section) []:HTTP Server Common Name (eg, YOUR name) []:server.t-hosting.hu Email Address []:postmaster@t-hosting.hu root@server# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem Getting request Private Key Generating certificate request root@server# openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem Using configuration from /etc/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 46641:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group=CA_default name=unique_subject 46641:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:276:fopen('./demoCA/private/cakey.pem','r') 46641:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:278: unable to load CA private key Segmentation fault (core dumped) Could you tell me what's wrong? Thanks, Gabor Kovesdan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DFA79A.4080707>