[CentOS] which commands do you use to SSL certify your own server?
Paul Heinlein
heinlein at madboa.com
Fri Jun 15 15:56:24 UTC 2007
On Fri, 15 Jun 2007, M. Fioretti wrote:
>> 1) Run
>>
>> openssl req \
>> -x509 -nodes -days 365 \
>> -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
>> -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
>
> this would be the one-command version of running CA -newreq -nodes,
> after placing the right values of C, ST, L, CN, etc... in openssl.cnf,
> right?
Right.
> Still to be 100% sure of what we are saying: the command above
> self-signs keys and certificate and puts both of them in the
> mycert.pem file, correct?
Right.
>> Also, if you're doing this on a private server, you can keep the
>> cert and the key in the same file.
>
> I assume by "private" here you mean "a server which is only used by
> the members of a closed organization (business, charity,
> whatever...) but is not used as an ISP to the public", right?
Right. I use "private" in the sense of "I trust that users with login
privileges to this machine won't abuse it or intentionally try to
access data that's off-limits to them."
>> I'd just give it 0600 perms no matter where you put it.
>
> 0600 and ownership root, of course?
Yes.
> Sorry for the repeated questions, but I must say that ssl is one of
> the fields where the available docs are less clear to
> non-professionals. It seems to take a lot of effort to just figure
> out which are the right questions to ask...
I agree whole-heartedly. Building and maintaining an infrastructure to
support SSL-enabled applications is a daunting task, and quite
different from learning SSL programming or theory. Anyone looking to
write for O'Reilly could probably pitch such a title! :-)
--
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com
More information about the CentOS
mailing list