On Fri, 15 Jun 2007, M. Fioretti wrote: >> 1) Run >> >> openssl req \ >> -x509 -nodes -days 365 \ >> -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ >> -newkey rsa:1024 -keyout mycert.pem -out mycert.pem > > this would be the one-command version of running CA -newreq -nodes, > after placing the right values of C, ST, L, CN, etc... in openssl.cnf, > right? Right. > Still to be 100% sure of what we are saying: the command above > self-signs keys and certificate and puts both of them in the > mycert.pem file, correct? Right. >> Also, if you're doing this on a private server, you can keep the >> cert and the key in the same file. > > I assume by "private" here you mean "a server which is only used by > the members of a closed organization (business, charity, > whatever...) but is not used as an ISP to the public", right? Right. I use "private" in the sense of "I trust that users with login privileges to this machine won't abuse it or intentionally try to access data that's off-limits to them." >> I'd just give it 0600 perms no matter where you put it. > > 0600 and ownership root, of course? Yes. > Sorry for the repeated questions, but I must say that ssl is one of > the fields where the available docs are less clear to > non-professionals. It seems to take a lot of effort to just figure > out which are the right questions to ask... I agree whole-heartedly. Building and maintaining an infrastructure to support SSL-enabled applications is a daunting task, and quite different from learning SSL programming or theory. Anyone looking to write for O'Reilly could probably pitch such a title! :-) -- Paul Heinlein <> heinlein at madboa.com <> www.madboa.com