New apache install and SSL test certificate

New apache install and SSL test certificate

Post by James Wyat » Thu, 04 Apr 2002 09:37:41



Hello,

I just installed apache 1.3.22 advanced extranet server...I got the virtual
server up and running on port 443 with ssl...The problem is I can't find
where apache stores its keys...I think I can create and self certify the
needed keys, but how do I get apache to use my keys instead of the test
certificate that installs by default...Now that I think about I could use a
GOOD primer on creating and certifying ssl keys, but mostly I need to know
how to get them working with apache...BTW i'm using apache with mod_ssl and
it's openssl 0.9.6c-2mdk

Thank you in advance,
Jim

 
 
 

New apache install and SSL test certificate

Post by Michael Heimin » Thu, 04 Apr 2002 09:52:28



Quote:> Hello,

> I just installed apache 1.3.22 advanced extranet server...I got
> the virtual server up and running on port 443 with ssl...The
> problem is I can't find where apache stores its keys...I think I
> can create and self certify the needed keys, but how do I get
> apache to use my keys instead of the test certificate that
> installs by default...Now that I think about I could use a GOOD
> primer on creating and certifying ssl keys, but mostly I need to
> know how to get them working with apache...BTW i'm using apache
> with mod_ssl and it's openssl 0.9.6c-2mdk

You take a look in httpd.conf?

Try:
'ps aux | grep httpd' to find out where it is on your box.

Michael Heiming
--
Remove the +SIGNS case mail bounces.

 
 
 

New apache install and SSL test certificate

Post by James Wyat » Thu, 04 Apr 2002 10:16:03


There's nothing in httpd.conf except a pointer to the ssl directory...I go
there and I see the server key and cert...I guess my real question is how
to generate the key with my data and how to self sign it...I have got as
far as creating the keys and signing them, but apache still uses the old
test key and certificate...
Quote:> You take a look in httpd.conf?

> Try:
> 'ps aux | grep httpd' to find out where it is on your box.

> Michael Heiming
> --
> Remove the +SIGNS case mail bounces.

 
 
 

New apache install and SSL test certificate

Post by AcmeSysAdmi » Thu, 04 Apr 2002 10:52:26


Take this one out for a spin:

Assuming I am correct as to the location of your cert file:

Establish an ssh session to the server and "su" to root

"cd" to /etc/httpsd/conf/certs

Type these commands, in this order:

openssl req -new > new.cert.csr

You will be prompted to enter some information necessary for the
certificate:

Prompt Entry
Country Name <US>
State or Province Name <YourState>
City or Locality Anchorage
Organization Name <Your business name>
Organizational Unit leave blank -- just hit <enter>
Common Name (SERVER HOST NAME) <www.yourdomain.dom>

Do not enter extra attributes at the prompt.  LEAVE THE CHALLENGE PASSWORD
BLANK (PRESS <ENTER>)

You will be asked to enter a PEM phrase.  <make up a secret phrase>.

openssl rsa -in privkey.pem -out new.cert.key

You will need to enter the PEM phrase!

openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey
new.cert.key -days 365

Now you may need to copy the new certificate files over the old ones.  Use
these commands:

cp new.cert.cert cert.cert

cp new.cert.key cert.key

Restart the httsd daemon:  /etc/rc.d/init.d/httspd restart

"

 
 
 

New apache install and SSL test certificate

Post by James Wyat » Thu, 04 Apr 2002 12:19:50


AcmeSysAdmin is the man!!! It turns out I was generating the keys and certs
correctly the whole time, I just needed to edit the conf files to reflect
the change in my hostname from localhost to ****.d2g.com. The problem was I
would get error messages like "your session is being hijacked...the key is
from localhost but you are looking at ****.d2g.com..." or something like
that...thanks for the help acmesysadmin!!! btw are you affiliated with an
Acme or is it a Wiley Coyote spoof?

jim

 
 
 

New apache install and SSL test certificate

Post by Luke Voge » Thu, 04 Apr 2002 16:50:22



> There's nothing in httpd.conf except a pointer to the ssl directory...I go
> there and I see the server key and cert...I guess my real question is how
> to generate the key with my data and how to self sign it...I have got as
> far as creating the keys and signing them, but apache still uses the old
> test key and certificate...

> > You take a look in httpd.conf?

> > Try:
> > 'ps aux | grep httpd' to find out where it is on your box.

> > Michael Heiming
> > --
> > Remove the +SIGNS case mail bounces.

In the apache source tree,

make certificate

The README documents are full of good info .... READ IT!

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
Note: Remove NOSPAM from my return address if necessary
------

 
 
 

New apache install and SSL test certificate

Post by D. Stuss » Fri, 05 Apr 2002 06:34:43



>I just installed apache 1.3.22 advanced extranet server...I got the virtual
>server up and running on port 443 with ssl...The problem is I can't find
>where apache stores its keys...I think I can create and self certify the
>needed keys, but how do I get apache to use my keys instead of the test
>certificate that installs by default...Now that I think about I could use a
>GOOD primer on creating and certifying ssl keys, but mostly I need to know
>how to get them working with apache...BTW i'm using apache with mod_ssl and
>it's openssl 0.9.6c-2mdk

Apache finds the keys in the files that YOU TELL IT TO LOOK IN in the
configuration file.  It doesn't scan your system to find them itself.
 
 
 

New apache install and SSL test certificate

Post by James Wyat » Fri, 05 Apr 2002 08:41:59


Thanks for the smart ass answer...I got it working, no help from you...I
think I'm going looking for dumb questions so I can assert how smart I am
without actually volunteering any information
Quote:> Apache finds the keys in the files that YOU TELL IT TO LOOK IN in the
> configuration file.  It doesn't scan your system to find them itself.

 
 
 

New apache install and SSL test certificate

Post by D. Stuss » Sat, 06 Apr 2002 05:45:04


The answer is LITERALLY correct.  You have to specify the file-pathnames in the
apache configuration file for the certificate and its key.  Some people
actually miss this step or think that this has already been taken care of.

>Thanks for the smart ass answer...I got it working, no help from you...I
>think I'm going looking for dumb questions so I can assert how smart I am
>without actually volunteering any information

>> Apache finds the keys in the files that YOU TELL IT TO LOOK IN in the
>> configuration file.  It doesn't scan your system to find them itself.

 
 
 

1. Old machine Tomcat+SSL, new machine Apache+SSL - new certificates needed?

A new customer of ours uses Tomcat+SSL on their current machine.
I've set up a new machine for them using Apache+SSL, however I'm
unclear about migrating certificates.  Is that possible or do I have to
go back to the CA and generate a new set?  I don't see anything like
server.crt and server.key in their Tomcat+SSL setup.  It has .csr and
.cer files.

Thx,

Skip Montanaro

2. ttyS0 works, ttyS1 don't??

3. testing for correctly installed SSL certificate

4. .htaccess file length limitations!

5. Does upgrading Apache-SSL require new certificate request?

6. gcc 3.2/aix 4.3 core dump on exception???

7. Can't convert my netscape ssl certificate for use with Apache-SSL

8. Solaris 8 IP Address

9. Apache-SSL and problems with SSL certificate

10. New SSL certificate for existing server

11. new ssl certificate

12. Importing new ssl certificates

13. apache + ssl + certificate +netscape = error?