I looked on the openssl man page but am too dense with commands to understand what I need to do..... Ran into problems generating a key and CSR for SSL, because the web site is on a server with an old Ensim Control Panel. Please someone knowledgeable, give me the openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
Lanny -------------------------------------- Magazine subscriptions Largest discount Credit/Debit Card Check Pay Pal http://lowcostmagazines.com/
I looked on the openssl man page but am too dense with commands to understand what I need to do..... Ran into problems generating a key and CSR for SSL, because the web site is on a server with an old Ensim Control Panel. Please someone knowledgeable, give me the openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
It sounds, actually, as though you're talking about Certs for a web server. In that case, here's the best answer: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#aboutcerts which walks you through either creating a self-signed cert, or getting it ready to obtain a real one.
mark
On Tue, Dec 29, 2009 at 12:56 PM, m.roth@5-cent.us wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do..... Ran into problems generating a key and CSR for SSL, because the web site is on a server with an old Ensim Control Panel. Please someone knowledgeable, give me the openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
It sounds, actually, as though you're talking about Certs for a web server. In that case, here's the best answer: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#aboutcerts which walks you through either creating a self-signed cert, or getting it ready to obtain a real one.
Mark: Thank you for replying. It's a real SSL cert. I found a page about openssl commands at NCSA at U. Illinois and when I tried an openssl command that might work, discovered that openssl is not available to me..... :-) Now awaiting reply from OLM Tech Support, for more ideas on how to do this, with this old Ensim Control Panel.... I will check out the URL you gave me. Lanny
Lanny:
discovered that openssl is not available to me
You should be able to do a yum install openssl. Do you have root access to the server?
Neil
-- Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net CentOS 5.4 VPS with unmetered bandwidth only $25/month! No overage charges, 7 day free trial, PayPal, Google Checkout
On Tue, Dec 29, 2009 at 1:14 PM, Neil Aggarwal neil@jammconsulting.com wrote:
discovered that openssl is not available to me
You should be able to do a yum install openssl. Do you have root access to the server?
No, the site is on a shared server. I will ask him to install openssl, if it's not already installed on the server. Thanks!
On Tue, Dec 29, 2009 at 1:19 PM, Lanny Marcus lmmailinglists@gmail.com wrote:
On Tue, Dec 29, 2009 at 1:14 PM, Neil Aggarwal neil@jammconsulting.com wrote:
discovered that openssl is not available to me
You should be able to do a yum install openssl. Do you have root access to the server?
No, the site is on a shared server. I will ask him to install openssl, if it's not already installed on the server. Thanks!
It looks like openssl *is* installed on the server, because it is shown in the services. Apparently, the openssl command is not available to me to use for my site on this shared server. OpenSSL Secure Web
On Tue, Dec 29, 2009 at 12:56 PM, m.roth@5-cent.us wrote:
Lanny wrote:
<snip>
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
It sounds, actually, as though you're talking about Certs for a web server. In that case, here's the best answer: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#aboutcerts which walks you through either creating a self-signed cert, or getting it ready to obtain a real one.
Mark: Thank you for replying. It's a real SSL cert. I found a page about openssl commands at NCSA at U. Illinois and when I tried an openssl command that might work, discovered that openssl is not available to me..... :-) Now awaiting reply from OLM Tech
You might want to mouse around the server - it could just be that openssl isn't in your path, which isn't unreasonable for an ordinary user. Check the man page, and see what it says, or rpm -ql openssl
mark
On Tue, Dec 29, 2009 at 1:16 PM, m.roth@5-cent.us wrote:
On Tue, Dec 29, 2009 at 12:56 PM, m.roth@5-cent.us wrote:
Lanny wrote:
<snip> >>> "I believe the issue you are having is due to the size of the >>> encryption key. The ensim control panel generates a 1024 bit key, >>> where the certificate you got was 2048 bits. What you need to do is >>> generate a 2048 bit key and csr on your domain. You would need to >>> login in to your domain through ssh and generate the files from the >>> command line."
You might want to mouse around the server - it could just be that openssl isn't in your path, which isn't unreasonable for an ordinary user. Check the man page, and see what it says, or rpm -ql openssl
Mark: Thank you. openssl *is* shown in the services running, so I am sure that is the problem, that it is not in my path. I will ask him to include openssl in my path. Lanny
Lanny Marcus wrote:
Mark: Thank you. openssl *is* shown in the services running, so I am sure that is the problem, that it is not in my path. I will ask him to include openssl in my path. Lanny
you control your own path, ~/.bash_profile
or just specify the path to openssl on the command line, the default for CentOS is /usr/bin/openssl
Lanny Marcus wrote:
Mark: Thank you. openssl *is* shown in the services running, so I am sure that is the problem, that it is not in my path. I will ask him to include openssl in my path. Lanny
odd. openssl isn't a service, its a utility. not sure why it would be running as a demon.
On Tue, Dec 29, 2009 at 1:16 PM, m.roth@5-cent.us wrote:
On Tue, Dec 29, 2009 at 12:56 PM, m.roth@5-cent.us wrote:
Lanny wrote:
<snip> >>> generate a 2048 bit key and csr on your domain. You would need to >>> login in to your domain through ssh and generate the files from the >>> command line."
You might want to mouse around the server - it could just be that openssl isn't in your path, which isn't unreasonable for an ordinary user. Check the man page, and see what it says, or rpm -ql openssl
Mark: Thank you. openssl *is* shown in the services running, so I am sure that is the problem, that it is not in my path. I will ask him to include openssl in my path. Lanny
Ok, you *really* need to read the manual, and the man pages. If you run the rpm command I gave you, you'll see the full path to the command. You can then run it ->using the full path<-. You can also add that directory to your path by resetting PATH in your .bashrc.
PLEASE READ the man pages. It will save you a) a lot of grief, and b) prevent folks here from being irritated that you didn't do more research before asking.
mark
On Tue, 29 Dec 2009, Lanny Marcus wrote:
Mark: Thank you. openssl *is* shown in the services running, so I am sure that is the problem, that it is not in my path. I will ask him to include openssl in my path. Lanny
Perhaps openssh as a daemon service -- openssl does not so run
/usr/bin/openssl
should be in the default path of any centos install when the 'openssl' package is installed -- if not there, ipse dixit, it is not CentOS, but yet another knock-off
-- Russ herrold
On 12/29/2009 11:36 AM, Lanny Marcus wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do..... Ran into problems generating a key and CSR for SSL, because the web site is on a server with an old Ensim Control Panel. Please someone knowledgeable, give me the openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
<snip>
This will create one with a passphrase
openssl genrsa -des3 -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Same put without a passpharse
openssl genrsa -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Cheers
On Tue, Dec 29, 2009 at 1:05 PM, Dan Carl danc@bluestarshows.com wrote:
On 12/29/2009 11:36 AM, Lanny Marcus wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do..... Ran into problems generating a key and CSR for SSL, because the web site is on a server with an old Ensim Control Panel. Please someone knowledgeable, give me the openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
"I believe the issue you are having is due to the size of the encryption key. The ensim control panel generates a 1024 bit key, where the certificate you got was 2048 bits. What you need to do is generate a 2048 bit key and csr on your domain. You would need to login in to your domain through ssh and generate the files from the command line."
<snip>
This will create one with a passphrase
openssl genrsa -des3 -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Same put without a passpharse
openssl genrsa -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Dan: Thank you. As I just replied to Mark, when I tried to use the openssl command, bash responded that it cannot find that command. I will relay these commands to OLM Tech Support. Maybe they can use the openssl command, if they log in as root on the server. Lanny
On Tue, 29 Dec 2009, Dan Carl wrote:
On 12/29/2009 11:36 AM, Lanny Marcus wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do
... snip
openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
This will create one with a passphrase
openssl genrsa -des3 -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
Same put without a passpharse
openssl genrsa -out mydomain.key 2048 openssl req -new -key mydomain.key -out mydomain.csr
My notes indicate that another certificate authority [startssl] also requires a stronger (sha1) signing algorithm on CSR's -- ymmv
This is from a personal cheatsheet I wrote:
1. key withOUT a pass phrase
openssl genrsa -out trap.pmman.com-09.key 2048
1a. key WITH a pass phrase
openssl genrsa -des3 -out trap.pmman.com-09.key 2048
2. generate a signing request
openssl req -new -sha1 -key trap.pmman.com-09.key -out \ trap.pmman.com.csr
3. view the signing request
openssl req -noout -text -in trap.pmman.com.csr
4. view the private key
openssl rsa -noout -text -in trap.pmman.com-09.key
(one has to provide the passphrase if so protected)
We add a key year suffix ('-09') on the key to avoid accidentially overwriting one, but not the CSR, because CSRs may be safely recreated anytime
Our (prior) convention is to name the CA signed file with a .pem suffix, but not a year modifier -- as I think about it though, doing so is harmless, and would avoid an accidential overwrite here as well.
5. view the CA counter-signed key file contents
openssl x509 -inform PEM -noout -text -ocspid \ -in trap.pmman.com.pem
-- Russ herrold
On Tue, Dec 29, 2009 at 1:37 PM, R P Herrold herrold@centos.org wrote:
On Tue, 29 Dec 2009, Dan Carl wrote:
On 12/29/2009 11:36 AM, Lanny Marcus wrote:
I looked on the openssl man page but am too dense with commands to understand what I need to do
... snip
openssl commands I need to use, after I ssh into the web site, to generate a 2048 bit key and csr. TIA and Happy New Year!
My notes indicate that another certificate authority [startssl] also requires a stronger (sha1) signing algorithm on CSR's -- ymmv
Jackpot Russ. This is with StartCom Ltd. (StartSSL) in Israel. Eddy there really hung in there with me on this today. Super Support. :-)
On Tue, 29 Dec 2009, Lanny Marcus wrote:
My notes indicate that another certificate authority [startssl] also requires a stronger (sha1) signing algorithm on CSR's -- ymmv
Jackpot Russ. This is with StartCom Ltd. (StartSSL) in Israel. Eddy there really hung in there with me on this today. Super Support.
concur -- Eddy is a nice person to deal with; professional; willing to solve the follow through issues that CACert could not.
StartSSL is Highly recommended, in my book as well.
-- Russ herrold
-
Dan Carl -
John R Pierce -
Lanny Marcus -
m.roth@5-cent.us -
Neil Aggarwal -
R P Herrold