On Thu, 5 Nov 2009, John Doe wrote: >> Also, there's an Apache bug that fouls things up if the "CA" and >> "CA SSL" root certificates both have the same CN: >> https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 > > Hum.. that might be the case... > They must all use 'myhost.mydomain' as CN... > Do you know how to specify different CNs in a common openssl.conf file? I use a Makefile wrapper around the openssl calls. Here's a condensed version: ----- %< ----- # # usage: # # make my.hostname.com.csr -- generate a CSR for host # make my.hostname.com.crt -- build a CA-signed certificate # CONF = openssl.cnf OPENSSL = openssl SUBJECT = /C=US/ST=OR/L=Portland/O=Our Organization CSRARGS = req -new -config $(CONF) CRTARGS = ca -config $(CONF) .PRECIOUS: %.key %.key: $(OPENSSL) genrsa -out $@ 2048 %.csr: %.key $(OPENSSL) $(CSRARGS) -key $^ -out $@ -subj "$(SUBJECT)/CN=$*" %.crt: %.csr $(ENV) CN=$* $(OPENSSL) $(CRTARGS) -in $^ -out $@ ----- %< ----- -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/