On 11/5/05, <b class="gmail_sendername">Steven Stromer</b> <<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
kwhiskers wrote:<br>><br>><br>> On 03/11/05, *Steven Stromer* <<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com</a><br>> <mailto:<a href="mailto:filter@stevenstromer.com">filter@stevenstromer.com
</a>>> wrote:<br>><br>> >>>I want<br>> >>>to create a self-signed CA cert, which is most easily achieved<br>> using the<br>> >>>ca.pl script. This is no longer anywhere to be found, along with the
<br>> >>>demoCA folder that one would normally expect to find. Can anyone<br>> shed<br>> >>>some light on where these files ended up? I can't find them on a<br>> search.<br>
><br>> >>The perl script is in the openssl-perl package. The original<br>> split was<br>> >>needed to keep the openssl package from depending on perl, which<br>> isn't<br>> >>part of the "Base" package component/group.
<br>> >><br>> >>It looks like the generated data files would now be placed in<br>> /etc/CA,<br>> >>but of course that's configurable in openssl.cnf.<br>> >><br>
> >>HTH,<br>> >><br>> >>Nalin<br>><br>> > It seems to me that certificates can be created using :<br>> > /etc/pki/tls/certs/Makefile<br>> > -------------------------------------------
<br>> > Aaron Konstam<br>><br>> Thank you all for your replies. I was aware of the line:<br>><br>> 'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and<br>> /etc/pki/CA.'
<br>><br>> in FC4's Release Notes. However, within the new path, there are many<br>> files missing that were available in the old path.<br>><br>> Nalin helped to explain some of the missing files by documenting that
<br>> openssl and openssl-perl are seperate packages. That helps to explain<br>> some of the missing script files.<br>><br>> Before learning this I manually executed all of the commnands I needed<br>
> to create my CA and host certificates and keys using openssl commands,<br>> which are easier to use, in my opinion, than the perl scripts that<br>> exist<br>> to help in these steps. But, that's just a matter of opinion, and I
<br>> understand that there are a number of scripts that perform very<br>> convenient file conversion, that I may find myself reaching for sometime<br>> in the future.<br>><br>> For the moment, I've skipped installing the openssl-perl package, just
<br>> to keep life as simple as possible (less to learn, secure, and just deal<br>> with!).<br>><br>> The Makefile is also very helpful for at least creating a pem styled<br>> csr<br>> (make certreq).
<br>><br>> However, this is where the remaining missing files and directories come<br>> into play. I want to sign my newly minted request with my own CA cert,<br>> but I am getting errors having to do with the configuration of
<br>> openssl.cnf. There seem to be a number of 'mistakes' in the CA_default<br>> section of the configuration file. The first attribute 'dir', has a<br>> value of '../../CA', which seems faulty to me. Worse, a few lines
<br>> later,<br>> the 'crl_dir', 'serial', 'crl' and a number of other attributes have<br>> values that point to directories and files that simply DO NOT EXIST!<br>><br>> I have attempted to create some of the missing directories, which gets
<br>> me past the first few errors when executing:<br>><br>> openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out<br>> www.domainname.com.pem -infiles www.domainname.com.request.pem
<br>><br>> but, eventually I get to errors relating to the missing files (ie.<br>> index.txt) and I grind to a halt.<br>><br>> Has anyone successfully created CA and signed their own certs using a
<br>> 'default' installation of FC4? Did you have to take any extraordinary<br>> steps to achieve this?<br>><br>> Thanks everyone for the responses. Sorry this is more involved than it<br>> first seemed.
<br>><br>> Steven Stromer<br>><br>> --<br>> fedora-list mailing list<br>> <a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a> <mailto:<a href="mailto:fedora-list@redhat.com">
fedora-list@redhat.com</a>><br>> To unsubscribe: <a href="https://www.redhat.com/mailman/listinfo/fedora-list">https://www.redhat.com/mailman/listinfo/fedora-list</a><br>><br>><br>> I am waiting with bated breath for the answer.
<br>><br>> I had created a certificate manually, with openssl pkcs<br>> somethingorother, which generated the certificate and imported<br>> successfully into konqueror, firefox and mozilla.<br>><br>> This morning, I discovered the makefile in /etc/pki/certs and tried make
<br>> certificatename.pem and that worked also.<br>><br>> I have placed these certificates into every directory I can think of in<br>> the /etc/pki tree, as well as having imported them into the<br>> aforementioned programs.
<br>><br>> I am unable to use these certificates to sign a document in open office,<br>> however.<br>><br>> As for your problem, I cannotoffer any more information, but I feel that<br>> the solutions are allied.
<br>><br><br>It would seem that signing a certificate should be a fairly<br>straightforward, and common action; al least common enough for some list<br>readers to be able to say 'yes, I can do this without a problem in FC4',
<br>or 'no, I'm experiencing the same problems'. I am becoming more and more<br>convinced that this is an issue of misconfiguration of the present<br>openssl package, which might warrant a bug listing. There is some<br>interesting, and very good, documentation on
openssl.cfg at:<br><br><a href="http://www.technoids.org/openssl.cnf.html">http://www.technoids.org/openssl.cnf.html</a><br><br>It has helped me to understand better what is failing to work, some of<br>which I described in an earlier posting in this thread. There are now a
<br>few people needing help here! Any brains in shining armor around?<br><br>Thanks again!<br><br>Steven Stromer<br><br></blockquote></div><br>You have the most knowledge regarding this problem. Don't ask others to battle for you. Pick up the gauntlet. File the bug report. Be your own knight!
<br>