Creating a self-signed CA cert
Steven Stromer
filter at stevenstromer.com
Sat Nov 5 18:01:06 UTC 2005
kwhiskers wrote:
>
>
> On 03/11/05, *Steven Stromer* <filter at stevenstromer.com
> <mailto:filter at stevenstromer.com>> wrote:
>
> >>>I want
> >>>to create a self-signed CA cert, which is most easily achieved
> using the
> >>>ca.pl script. This is no longer anywhere to be found, along with the
> >>>demoCA folder that one would normally expect to find. Can anyone
> shed
> >>>some light on where these files ended up? I can't find them on a
> search.
>
> >>The perl script is in the openssl-perl package. The original
> split was
> >>needed to keep the openssl package from depending on perl, which
> isn't
> >>part of the "Base" package component/group.
> >>
> >>It looks like the generated data files would now be placed in
> /etc/CA,
> >>but of course that's configurable in openssl.cnf.
> >>
> >>HTH,
> >>
> >>Nalin
>
> > It seems to me that certificates can be created using :
> > /etc/pki/tls/certs/Makefile
> > -------------------------------------------
> > Aaron Konstam
>
> Thank you all for your replies. I was aware of the line:
>
> 'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
> /etc/pki/CA.'
>
> in FC4's Release Notes. However, within the new path, there are many
> files missing that were available in the old path.
>
> Nalin helped to explain some of the missing files by documenting that
> openssl and openssl-perl are seperate packages. That helps to explain
> some of the missing script files.
>
> Before learning this I manually executed all of the commnands I needed
> to create my CA and host certificates and keys using openssl commands,
> which are easier to use, in my opinion, than the perl scripts that
> exist
> to help in these steps. But, that's just a matter of opinion, and I
> understand that there are a number of scripts that perform very
> convenient file conversion, that I may find myself reaching for sometime
> in the future.
>
> For the moment, I've skipped installing the openssl-perl package, just
> to keep life as simple as possible (less to learn, secure, and just deal
> with!).
>
> The Makefile is also very helpful for at least creating a pem styled
> csr
> (make certreq).
>
> However, this is where the remaining missing files and directories come
> into play. I want to sign my newly minted request with my own CA cert,
> but I am getting errors having to do with the configuration of
> openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
> section of the configuration file. The first attribute 'dir', has a
> value of '../../CA', which seems faulty to me. Worse, a few lines
> later,
> the 'crl_dir', 'serial', 'crl' and a number of other attributes have
> values that point to directories and files that simply DO NOT EXIST!
>
> I have attempted to create some of the missing directories, which gets
> me past the first few errors when executing:
>
> openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
> www.domainname.com.pem -infiles www.domainname.com.request.pem
>
> but, eventually I get to errors relating to the missing files (ie.
> index.txt) and I grind to a halt.
>
> Has anyone successfully created CA and signed their own certs using a
> 'default' installation of FC4? Did you have to take any extraordinary
> steps to achieve this?
>
> Thanks everyone for the responses. Sorry this is more involved than it
> first seemed.
>
> Steven Stromer
>
> --
> fedora-list mailing list
> fedora-list at redhat.com <mailto:fedora-list at redhat.com>
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>
> I am waiting with bated breath for the answer.
>
> I had created a certificate manually, with openssl pkcs
> somethingorother, which generated the certificate and imported
> successfully into konqueror, firefox and mozilla.
>
> This morning, I discovered the makefile in /etc/pki/certs and tried make
> certificatename.pem and that worked also.
>
> I have placed these certificates into every directory I can think of in
> the /etc/pki tree, as well as having imported them into the
> aforementioned programs.
>
> I am unable to use these certificates to sign a document in open office,
> however.
>
> As for your problem, I cannotoffer any more information, but I feel that
> the solutions are allied.
>
It would seem that signing a certificate should be a fairly
straightforward, and common action; al least common enough for some list
readers to be able to say 'yes, I can do this without a problem in FC4',
or 'no, I'm experiencing the same problems'. I am becoming more and more
convinced that this is an issue of misconfiguration of the present
openssl package, which might warrant a bug listing. There is some
interesting, and very good, documentation on openssl.cfg at:
http://www.technoids.org/openssl.cnf.html
It has helped me to understand better what is failing to work, some of
which I described in an earlier posting in this thread. There are now a
few people needing help here! Any brains in shining armor around?
Thanks again!
Steven Stromer
More information about the fedora-list
mailing list