Creating a self-signed CA cert
Steven Stromer
filter at stevenstromer.com
Tue Nov 8 23:20:18 UTC 2005
Kam Leo wrote:
> On 11/5/05, *Steven Stromer* <filter at stevenstromer.com
> <mailto:filter at stevenstromer.com>> wrote:
>
> kwhiskers wrote:
> >
> >
> > On 03/11/05, *Steven Stromer* <filter at stevenstromer.com
> <mailto:filter at stevenstromer.com>
> > <mailto:filter at stevenstromer.com
> <mailto:filter at stevenstromer.com>>> wrote:
> >
> > >>>I want
> > >>>to create a self-signed CA cert, which is most easily
> achieved
> > using the
> > >>>ca.pl script. This is no longer anywhere to be found,
> along with the
> > >>>demoCA folder that one would normally expect to find. Can
> anyone
> > shed
> > >>>some light on where these files ended up? I can't find
> them on a
> > search.
> >
> > >>The perl script is in the openssl-perl package. The original
> > split was
> > >>needed to keep the openssl package from depending on perl,
> which
> > isn't
> > >>part of the "Base" package component/group.
> > >>
> > >>It looks like the generated data files would now be placed in
> > /etc/CA,
> > >>but of course that's configurable in openssl.cnf.
> > >>
> > >>HTH,
> > >>
> > >>Nalin
> >
> > > It seems to me that certificates can be created using :
> > > /etc/pki/tls/certs/Makefile
> > > -------------------------------------------
> > > Aaron Konstam
> >
> > Thank you all for your replies. I was aware of the line:
> >
> > 'OpenSSL: the /usr/share/ssl contents have moved to
> /etc/pki/tls and
> > /etc/pki/CA.'
> >
> > in FC4's Release Notes. However, within the new path, there
> are many
> > files missing that were available in the old path.
> >
> > Nalin helped to explain some of the missing files by
> documenting that
> > openssl and openssl-perl are seperate packages. That helps to
> explain
> > some of the missing script files.
> >
> > Before learning this I manually executed all of the commnands
> I needed
> > to create my CA and host certificates and keys using openssl
> commands,
> > which are easier to use, in my opinion, than the perl scripts
> that
> > exist
> > to help in these steps. But, that's just a matter of opinion,
> and I
> > understand that there are a number of scripts that perform very
> > convenient file conversion, that I may find myself reaching
> for sometime
> > in the future.
> >
> > For the moment, I've skipped installing the openssl-perl
> package, just
> > to keep life as simple as possible (less to learn, secure,
> and just deal
> > with!).
> >
> > The Makefile is also very helpful for at least creating a pem
> styled
> > csr
> > (make certreq).
> >
> > However, this is where the remaining missing files and
> directories come
> > into play. I want to sign my newly minted request with my own
> CA cert,
> > but I am getting errors having to do with the configuration of
> > openssl.cnf. There seem to be a number of 'mistakes' in the
> CA_default
> > section of the configuration file. The first attribute 'dir',
> has a
> > value of '../../CA', which seems faulty to me. Worse, a few
> lines
> > later,
> > the 'crl_dir', 'serial', 'crl' and a number of other
> attributes have
> > values that point to directories and files that simply DO NOT
> EXIST!
> >
> > I have attempted to create some of the missing directories,
> which gets
> > me past the first few errors when executing:
> >
> > openssl ca -config /etc/pki/tls/openssl.cnf -policy
> policy_anything -out
> > www.domainname.com.pem -infiles www.domainname.com.request.pem
> >
> > but, eventually I get to errors relating to the missing files
> (ie.
> > index.txt) and I grind to a halt.
> >
> > Has anyone successfully created CA and signed their own certs
> using a
> > 'default' installation of FC4? Did you have to take any
> extraordinary
> > steps to achieve this?
> >
> > Thanks everyone for the responses. Sorry this is more
> involved than it
> > first seemed.
> >
> > Steven Stromer
> >
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com <mailto:fedora-list at redhat.com>
> <mailto: fedora-list at redhat.com <mailto:fedora-list at redhat.com>>
> > To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-list
> >
> >
> > I am waiting with bated breath for the answer.
> >
> > I had created a certificate manually, with openssl pkcs
> > somethingorother, which generated the certificate and imported
> > successfully into konqueror, firefox and mozilla.
> >
> > This morning, I discovered the makefile in /etc/pki/certs and
> tried make
> > certificatename.pem and that worked also.
> >
> > I have placed these certificates into every directory I can think
> of in
> > the /etc/pki tree, as well as having imported them into the
> > aforementioned programs.
> >
> > I am unable to use these certificates to sign a document in open
> office,
> > however.
> >
> > As for your problem, I cannotoffer any more information, but I
> feel that
> > the solutions are allied.
> >
>
> It would seem that signing a certificate should be a fairly
> straightforward, and common action; al least common enough for some list
> readers to be able to say 'yes, I can do this without a problem in
> FC4',
> or 'no, I'm experiencing the same problems'. I am becoming more and more
> convinced that this is an issue of misconfiguration of the present
> openssl package, which might warrant a bug listing. There is some
> interesting, and very good, documentation on openssl.cfg at:
>
> http://www.technoids.org/openssl.cnf.html
>
> It has helped me to understand better what is failing to work, some of
> which I described in an earlier posting in this thread. There are now a
> few people needing help here! Any brains in shining armor around?
>
> Thanks again!
>
> Steven Stromer
>
>
> You have the most knowledge regarding this problem. Don't ask others to
> battle for you. Pick up the gauntlet. File the bug report. Be your own
> knight!
>
I have submitted this problem as a bug to redhat, #172744.
More information about the fedora-list
mailing list