[CentOS] Certificates Revocation Lists and Apache...

Thu Nov 5 17:39:08 UTC 2009
Paul Heinlein <heinlein at madboa.com>

On Thu, 5 Nov 2009, John Doe wrote:

>> Also, there's an Apache bug that fouls things up if the "CA" and 
>> "CA SSL" root certificates both have the same CN:
>>   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
>
> Hum.. that might be the case...
> They must all use 'myhost.mydomain' as CN...
> Do you know how to specify different CNs in a common openssl.conf file?

I use a Makefile wrapper around the openssl calls. Here's a condensed 
version:

----- %< -----
#
# usage:
#
#  make my.hostname.com.csr -- generate a CSR for host
#  make my.hostname.com.crt -- build a CA-signed certificate
#

CONF = openssl.cnf
OPENSSL = openssl
SUBJECT = /C=US/ST=OR/L=Portland/O=Our Organization
CSRARGS = req -new -config $(CONF)
CRTARGS = ca -config $(CONF)

.PRECIOUS: %.key

%.key:
 	$(OPENSSL) genrsa -out $@ 2048

%.csr: %.key
 	$(OPENSSL) $(CSRARGS) -key $^ -out $@ -subj "$(SUBJECT)/CN=$*"

%.crt: %.csr
 	$(ENV) CN=$* $(OPENSSL) $(CRTARGS) -in $^ -out $@

----- %< -----

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/