[lug] self-signed apache certs on fedora core?

Craig Talbert at Colorado.EDU
Tue Sep 6 14:19:47 MDT 2005


Kind of an aside/plug -- CAcerts <cacert.org> is pretty cool. It's a free
certification authority. I wish browsers would pick up it's root
certificate, but it's easy enough to install if you know how.

I can understand spending the thousands of dollars on Verisign or Thawte
if you're running amazon.com or even the fifty dollars on Comodo if
you're a small business owner or something like that

I can't understand the rationale behind buying any certificate if you're
running a small site and just don't want to have to bother with browsers
popping up a warning everytime you start a secure sessions because you
don't feel like giving your money away.

- Craig
"Ne te quaesiveris extra."


On Tue, 6 Sep 2005, Jeffrey Brown wrote:

> I never did like the wrapper scripts provided by Linux distributions. If
> all you want is a self-signed cert do the following:
>
> Taken from here (wrapped):
> http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386
>
>
> # openssl genrsa -out /etc/ssl/private/server.key 1024
> # openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr
> # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey
> /etc/ssl/private/server.key -out /etc/ssl/server.crt
>
> I think other details about this can be found in the openssl man pages
> such as ca, x509, req and genrsa etc., if those man pages are installed
> ;)  If you want full blown PKI consider the above commands the
> generation of your root certificate (change the days of course), iterate
> through it again replacing file names to the new certfile and the
> -signkey directive to the original root cert key.
>
>
> >>> stimits at comcast.net 9/5/2005 5:23:02 PM >>>
> Has anyone here found a way to use those provided
> scripts or Makefile to create a self-signed cert? If so, did you edit
> those scripts any? So far I've been able to create everything up to but
>
> not including my private CA (thus I'm unable to sign).
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>



More information about the LUG mailing list