Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] apache ssl cert trouble
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397
PostPosted: Sat Jul 07, 2007 1:21 pm    Post subject: [SOLVED] apache ssl cert trouble Reply with quote
hello everybody!

in the past i have done that successfully, but now i can't any more.
i followed the guide on the apache website for my version 2.2.
when i use
Code:
$ openssl req -new -x509 -nodes -out server.crt -keyout server.key
, i CAN conect with all browers, but i get the following in the log:
Code:
[Sat Jul 07 15:08:21 2007] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
but okay, that's not the right way anyways...
when i create a CA, a csr and sign the csr i still can connect with the browers lynx,links,elinks, but no more with firefox. i get a error message about about a bad signature (in german, so i do not know the exact text in english), but no warnings or errors in the logs. very strange.
i used the following to create the cert in the second case:
Code:
### create the key of the CA
$ openssl genrsa -des3 -out ca.key 1024
### create the cert of the CA
$ openssl req -new -x509 -days 3650 -nodes -sha1 -key ca.key -out ca.crt
### create the (encrypted) key of the server
$ openssl genrsa -des3 -out xx.vu.key.encrypted 1024
### uncrypt the server key (for apache startup without prompt)
$ openssl rsa -in xx.vu.key.encrypted -out xx.vu.key
### create the signing request
$ openssl req -new -key xx.vu.key -out xx.vu.csr
### sign the request
$ openssl x509 -req -in xx.vu.csr -out xx.vu.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

does anybody have a clue why i cannot connect with firefox?

Last edited by alex.blackbit on Sun Jul 08, 2007 12:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
alex.blackbit
Advocate
Advocate


Joined: 26 Jul 2005
Posts: 2397
PostPosted: Sun Jul 08, 2007 12:08 pm    Post subject: Reply with quote
problem solved.
when creating the CA cert, the "common name" of the CA must NOT be the same as the "common name" of the server certificate.
i didn't know that before, found the solution just by playing around.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy