[CentOS] which commands do you use to SSL certify your own server?
M. Fioretti
mfioretti at mclink.it
Sat Jun 16 09:08:45 UTC 2007
On Fri, Jun 15, 2007 17:14:55 PM -0700, Karl R. Balsmeier
(karl at klxsystems.net) wrote:
> # *openssl genrsa -out /etc/ssl/private/server.key 1024*
>
> # *openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr*
>
> # *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
> -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt*
>
Where should the -nodes option go with this approach? Only in the
first command?
Now, let's compare this with the one-command solution that Paul
provided, please:
> openssl req \
> -x509 -nodes -days 365 \
> -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
> -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
If I _am_ starting to figure this out, the only differences are that:
- Paul passed all the options on the command line in -subj, Karl assumes
they are in openssl.cnf
- Karl places keys and certificate in _separate_ files (as I had
originally asked), so he needs 3 commands instead of one: the first
creates the key, the second an unsigned certificate in
/etc/ssl/private/server.csr, the third signs that certificate with
the key and puts the signed version in /etc/ssl/server.crt
Is this explanation correct?
Yes, I'm being verbose and I'm nitpicking, but since we all agreed
there is no decent documentation on these basic issues (*), we can say
we're writing it now, aren't we?
Thanks again for your time and patience,
Marco
(*) For the record, I asked the same question on the openssl-users
list before coming here, but am still waiting for any answer on that
front...
--
Help *everybody* love Free Standards and Free Software:
http://digifreedom.net/node/73
More information about the CentOS
mailing list