On Thu, 5 Nov 2009, John Doe wrote:
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file?
I use a Makefile wrapper around the openssl calls. Here's a condensed version:
----- %< ----- # # usage: # # make my.hostname.com.csr -- generate a CSR for host # make my.hostname.com.crt -- build a CA-signed certificate #
CONF = openssl.cnf OPENSSL = openssl SUBJECT = /C=US/ST=OR/L=Portland/O=Our Organization CSRARGS = req -new -config $(CONF) CRTARGS = ca -config $(CONF)
.PRECIOUS: %.key
%.key: $(OPENSSL) genrsa -out $@ 2048
%.csr: %.key $(OPENSSL) $(CSRARGS) -key $^ -out $@ -subj "$(SUBJECT)/CN=$*"
%.crt: %.csr $(ENV) CN=$* $(OPENSSL) $(CRTARGS) -in $^ -out $@
----- %< -----