On 11/5/05, Steven Stromer <<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com</a>> wrote:<div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> kwhiskers wrote: > > > On 03/11/05, *Steven Stromer* <<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com</a> > <mailto:<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com </a>>> wrote: > > >>>I want > >>>to create a self-signed CA cert, which is most easily achieved > using the > >>>ca.pl script. This is no longer anywhere to be found, along with the > >>>demoCA folder that one would normally expect to find. Can anyone > shed > >>>some light on where these files ended up? I can't find them on a > search. > > >>The perl script is in the openssl-perl package. The original > split was > >>needed to keep the openssl package from depending on perl, which > isn't > >>part of the "Base" package component/group. > >> > >>It looks like the generated data files would now be placed in > /etc/CA, > >>but of course that's configurable in openssl.cnf. > >> > >>HTH, > >> > >>Nalin > > > It seems to me that certificates can be created using : > > /etc/pki/tls/certs/Makefile > > ------------------------------------------- > > Aaron Konstam > > Thank you all for your replies. I was aware of the line: > > 'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and > /etc/pki/CA.' > > in FC4's Release Notes. However, within the new path, there are many > files missing that were available in the old path. > > Nalin helped to explain some of the missing files by documenting that > openssl and openssl-perl are seperate packages. That helps to explain > some of the missing script files. > > Before learning this I manually executed all of the commnands I needed > to create my CA and host certificates and keys using openssl commands, > which are easier to use, in my opinion, than the perl scripts that > exist > to help in these steps. But, that's just a matter of opinion, and I > understand that there are a number of scripts that perform very > convenient file conversion, that I may find myself reaching for sometime > in the future. > > For the moment, I've skipped installing the openssl-perl package, just > to keep life as simple as possible (less to learn, secure, and just deal > with!). > > The Makefile is also very helpful for at least creating a pem styled > csr > (make certreq). > > However, this is where the remaining missing files and directories come > into play. I want to sign my newly minted request with my own CA cert, > but I am getting errors having to do with the configuration of > openssl.cnf. There seem to be a number of 'mistakes' in the CA_default > section of the configuration file. The first attribute 'dir', has a > value of '../../CA', which seems faulty to me. Worse, a few lines > later, > the 'crl_dir', 'serial', 'crl' and a number of other attributes have > values that point to directories and files that simply DO NOT EXIST! > > I have attempted to create some of the missing directories, which gets > me past the first few errors when executing: > > openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out > www.domainname.com.pem -infiles www.domainname.com.request.pem > > but, eventually I get to errors relating to the missing files (ie. > index.txt) and I grind to a halt. > > Has anyone successfully created CA and signed their own certs using a > 'default' installation of FC4? Did you have to take any extraordinary > steps to achieve this? > > Thanks everyone for the responses. Sorry this is more involved than it > first seemed. > > Steven Stromer > > -- > fedora-list mailing list > <a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a> <mailto:<a href="mailto:fedora-list@redhat.com"> fedora-list@redhat.com</a>> > To unsubscribe: <a href="https://www.redhat.com/mailman/listinfo/fedora-list">https://www.redhat.com/mailman/listinfo/fedora-list</a> > > > I am waiting with bated breath for the answer. > > I had created a certificate manually, with openssl pkcs > somethingorother, which generated the certificate and imported > successfully into konqueror, firefox and mozilla. > > This morning, I discovered the makefile in /etc/pki/certs and tried make > certificatename.pem and that worked also. > > I have placed these certificates into every directory I can think of in > the /etc/pki tree, as well as having imported them into the > aforementioned programs. > > I am unable to use these certificates to sign a document in open office, > however. > > As for your problem, I cannotoffer any more information, but I feel that > the solutions are allied. > It would seem that signing a certificate should be a fairly straightforward, and common action; al least common enough for some list readers to be able to say 'yes, I can do this without a problem in FC4', or 'no, I'm experiencing the same problems'. I am becoming more and more convinced that this is an issue of misconfiguration of the present openssl package, which might warrant a bug listing. There is some interesting, and very good, documentation on openssl.cfg at: <a href="http://www.technoids.org/openssl.cnf.html">http://www.technoids.org/openssl.cnf.html</a> It has helped me to understand better what is failing to work, some of which I described in an earlier posting in this thread. There are now a few people needing help here! Any brains in shining armor around? Thanks again! Steven Stromer </blockquote></div> You have the most knowledge regarding this problem. Don't ask others to battle for you. Pick up the gauntlet. File the bug report. Be your own knight!