I've been looking all over (google, wiki, manuals) for docs, and I can't find any mention of how to set up a CA or certificates *specifically for centos 5 / upstream 5*. There are plenty of generic guides on using openssl for this sort of thing, but I'd like to play nice within the standard structure of this system.
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
What I'm looking to do is set up my own CA, then make some certificates for use with SSL, and sign them with the CA. This will be used for internal purposes.
Any pointers to guides or information would be appreciated. Thanks.
On Monday, August 27, 2007 5:19 PM -0400 Brian Mathis brian.mathis@gmail.com wrote:
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
A good place to start is /etc/pki/tls/certs/Makefile.
I've just started using CentOS5, migrating from Fedora, so I'm not yet up to speed on the relocation of OpenSSL from /usr/share/openssl to /etc/pki/tls, but that Makefile is mostly what I used to create self-signed certs, or I used variations of the commands it suggested.
On Mon, 2007-08-27 at 16:48 -0700, Kenneth Porter wrote:
On Monday, August 27, 2007 5:19 PM -0400 Brian Mathis brian.mathis@gmail.com wrote:
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
A good place to start is /etc/pki/tls/certs/Makefile.
I've just started using CentOS5, migrating from Fedora, so I'm not yet up to speed on the relocation of OpenSSL from /usr/share/openssl to /etc/pki/tls, but that Makefile is mostly what I used to create self-signed certs, or I used variations of the commands it suggested.
I spent a couple of hours today trying to figure out how to make self signed certs such that browsing to https://localhost would show the page without complaining about not knowing the CA that issued the site's certificate. If you bump into the solution I would appreciate it if you could reply to this thread.
Regards, Patrick
On Tue, 2007-08-28 at 02:34 +0200, Patrick wrote:
I spent a couple of hours today trying to figure out how to make self signed certs such that browsing to https://localhost would show the page without complaining about not knowing the CA that issued the site's certificate. If you bump into the solution I would appreciate it if you could reply to this thread.
You need to import your self-sign CA cert into the browser. Other than that (and editing the source, of course) you can't make the browser not complain; the whole point of the complaining is that your browser doesn't know about the CA and so can't trust them.
On Mon, 2007-08-27 at 20:42 -0400, Ignacio Vazquez-Abrams wrote:
On Tue, 2007-08-28 at 02:34 +0200, Patrick wrote:
I spent a couple of hours today trying to figure out how to make self signed certs such that browsing to https://localhost would show the page without complaining about not knowing the CA that issued the site's certificate. If you bump into the solution I would appreciate it if you could reply to this thread.
You need to import your self-sign CA cert into the browser. Other than that (and editing the source, of course) you can't make the browser not complain; the whole point of the complaining is that your browser doesn't know about the CA and so can't trust them.
Hi Ignacio. Off course you are right. I accidentally mixed up the two things I was looking at today: svn with https via self signed cert without complaining (or else websvn fails silently) and accessing a webpage via https. Sorry for the noise.
Regards, Patrick
On Mon, 2007-08-27 at 17:19 -0400, Brian Mathis wrote:
I've been looking all over (google, wiki, manuals) for docs, and I can't find any mention of how to set up a CA or certificates *specifically for centos 5 / upstream 5*. There are plenty of generic guides on using openssl for this sort of thing, but I'd like to play nice within the standard structure of this system.
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
What I'm looking to do is set up my own CA, then make some certificates for use with SSL, and sign them with the CA. This will be used for internal purposes.
Any pointers to guides or information would be appreciated. Thanks.
Hi Brian, I did some more digging and maybe this link has some information that is useful: http://blog.laimbock.com/2007/08/28/svn-and-websvn-over-ssl-with-self-signed... The self-signed certificate stuff is at item 10 to 14 (skip 12).
Regards, Patrick
Brian Mathis wrote:
I've been looking all over (google, wiki, manuals) for docs, and I can't find any mention of how to set up a CA or certificates *specifically for centos 5 / upstream 5*. There are plenty of generic guides on using openssl for this sort of thing, but I'd like to play nice within the standard structure of this system.
Consider getting TinyCA2 from rpmforge.
It more than does the job. In fact you can create your own root cert and any number of server certs. then just the one root cert installed in browsers will take care of all your TLS needs.
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
What I'm looking to do is set up my own CA, then make some certificates for use with SSL, and sign them with the CA. This will be used for internal purposes.
Any pointers to guides or information would be appreciated. Thanks. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2007-08-28 at 09:03 -0400, Robert Moskowitz wrote:
Brian Mathis wrote:
I've been looking all over (google, wiki, manuals) for docs, and I can't find any mention of how to set up a CA or certificates *specifically for centos 5 / upstream 5*. There are plenty of generic guides on using openssl for this sort of thing, but I'd like to play nice within the standard structure of this system.
Consider getting TinyCA2 from rpmforge.
It more than does the job. In fact you can create your own root cert and any number of server certs. then just the one root cert installed in browsers will take care of all your TLS needs.
I looked at it but could not figure out what to do after creating the CA. The app definitely would be of great help if there was a little bit of documentation to go with it.
Regards, Patrick
On 8/27/07, Brian Mathis brian.mathis@gmail.com wrote:
I've been looking all over (google, wiki, manuals) for docs, and I can't find any mention of how to set up a CA or certificates *specifically for centos 5 / upstream 5*. There are plenty of generic guides on using openssl for this sort of thing, but I'd like to play nice within the standard structure of this system.
I've found the /etc/pki directory, but can't find much information about it. I reviewed the openssl.cnf file, and it looks like it's not completely set up, as many directories it references do not exist on the system.
What I'm looking to do is set up my own CA, then make some certificates for use with SSL, and sign them with the CA. This will be used for internal purposes.
Any pointers to guides or information would be appreciated. Thanks. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
take a look at :
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-httpd-secure-ser...
-
Brian Mathis -
Ignacio Vazquez-Abrams -
Kenneth Porter -
Leonel -
Patrick -
Robert Moskowitz