On Fri, 15 Jun 2007, M. Fioretti wrote:
- Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes, after placing the right values of C, ST, L, CN, etc... in openssl.cnf, right?
Right.
Still to be 100% sure of what we are saying: the command above self-signs keys and certificate and puts both of them in the mycert.pem file, correct?
Right.
Also, if you're doing this on a private server, you can keep the cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by the members of a closed organization (business, charity, whatever...) but is not used as an ISP to the public", right?
Right. I use "private" in the sense of "I trust that users with login privileges to this machine won't abuse it or intentionally try to access data that's off-limits to them."
I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Yes.
Sorry for the repeated questions, but I must say that ssl is one of the fields where the available docs are less clear to non-professionals. It seems to take a lot of effort to just figure out which are the right questions to ask...
I agree whole-heartedly. Building and maintaining an infrastructure to support SSL-enabled applications is a daunting task, and quite different from learning SSL programming or theory. Anyone looking to write for O'Reilly could probably pitch such a title! :-)