[CentOS] which commands do you use to SSL certify your own server?
M. Fioretti
mfioretti at mclink.it
Fri Jun 15 15:15:23 UTC 2007
On Fri, Jun 15, 2007 06:32:42 AM -0700, Paul Heinlein
> You don't need a CA to create a single self-signed certificate.
I see. Actually, this is just one of those things that is not clear at
all from the online docs I found.
> >1) cd /usr/share/ssl
> >2) modify openssl.cnf to have your Common Name and other parameters
> >3) run:
> > ./CA -newca
> > ./CA -newreq-nodes
> >4) move the private key from the .pem file to a separate file
> >5) put the cert and key file in a location where Postfix,
> >6) Dovecot and Apache can all use them
> >7) configure each of those servers to use the certificate
> >
> >What have I missed?
>
> 1) Run
>
> openssl req \
> -x509 -nodes -days 365 \
> -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
> -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes,
after placing the right values of C, ST, L, CN, etc... in openssl.cnf,
right? Just to be sure that I have understood how all the pieces come
from (as I said, I won't be able to play on the server before
sunday...)
Still to be 100% sure of what we are saying: the command above
self-signs keys and certificate and puts both of them in the
mycert.pem file, correct?
> Also, if you're doing this on a private server, you can keep the
> cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by
the members of a closed organization (business, charity, whatever...)
but is not used as an ISP to the public", right?
> I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Sorry for the repeated questions, but I must say that ssl is one of
the fields where the available docs are less clear to
non-professionals. It seems to take a lot of effort to just figure out
which are the right questions to ask...
Thanks again in advance for any feedback,
Marco
More information about the CentOS
mailing list