Date: Tue, 31 Jan 2006 12:23:00 -0500 From: Charles Swiger <cswiger@mac.com> To: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: Upgrading apache form 2.0.x to 2.2.x Message-ID: <6C8140DB-6E12-4C35-97C1-62931D7A2BAD@mac.com> In-Reply-To: <43DF7CE2.2050408@t-hosting.hu> References: <43DF7CE2.2050408@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 31, 2006, at 10:06 AM, K=F6vesd=E1n G=E1bor wrote: > I've upgradde today, but SSL doesn't work with the old settings. I =20 > suspect something's wrong with my self-signed certificates. If I =20 > set SSLEngine On globally, I get this: > > [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA =20 > certificate (BasicConstraints: CA certificate (BasicConstraints: CA =20= > =3D=3D TRUE !?) Yeah, the RSA cert you use for your CA to sign other certs should not =20= be used as a host cert for SSL. Generate a new RSA cert, generate a =20 CSR, and use the CA cert to sign your new RSA cert for the webserver: openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -=20= days 365 openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out =20 tmp.pem openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem # (newcert.pem contains signed certificate, newreq.pem still =20 contains # unsigned certificate and private key) --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C8140DB-6E12-4C35-97C1-62931D7A2BAD>