Problems with SSL accessw through a web browser

[Alexander Dalloz]

Am Fr, den 19.11.2004 schrieb akonstam at trinity.edu um 2:03:

> Can someone hint how one creates this needed certificate and where the
> file resides and under what name. I saw there was a Makefile that is
> supposed to do this but all I managed to do using that Makefile is
> secure the httpd server so that it could not be restarted without
> entering a passphrase.

> Aaron Konstam

There are different possibilities how you can create (and manage) such
certificates. In any way the base tool use OpenSSL, which you can use
directly. http://sial.org/howto/openssl/ has some good papers. Some days
old documentation by Red Hat on
http://www.redhat.com/support/resources/faqs/RH-apache-FAQ/c163.html.
The Fedora OpenSSL comes with the script /usr/share/ssl/misc/CA.

One very basic thing is that the Common Name (CN) of the server service
cert has to fit it's hostname. In some cases you would only get a
warning if they differ, in other situations / with other clients the
services is deferred.

Speaking about Apache on Fedora the default location for the SSL server
hostcert is /etc/httpd/conf/ssl.crt/, for the hostkey it is
/etc/httpd/conf/ssl.key/. The location for the dovecot cert is
/usr/share/ssl/certs/. Don't know from head whether this location is
hard coded during compilation or configurable with dovecot.conf. For the
obsolete uw-imapd it was hard coded.

Hope it helps a bit.

Alexander


-- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.8-1.521smp 
Serendipity 02:35:44 up 1 day, 4:21, load average: 0.02, 0.26, 0.35 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20041119/4ca5a8f1/attachment-0002.bin