Creating a self-signed CA cert

[kwhiskers]

On 03/11/05, Steven Stromer <filter at stevenstromer.com> wrote:
>
> >>>I want
> >>>to create a self-signed CA cert, which is most easily achieved using
> the
> >>>ca.pl script. This is no longer anywhere to be found, along with the
> >>>demoCA folder that one would normally expect to find. Can anyone shed
> >>>some light on where these files ended up? I can't find them on a
> search.
>
> >>The perl script is in the openssl-perl package. The original split was
> >>needed to keep the openssl package from depending on perl, which isn't
> >>part of the "Base" package component/group.
> >>
> >>It looks like the generated data files would now be placed in /etc/CA,
> >>but of course that's configurable in openssl.cnf.
> >>
> >>HTH,
> >>
> >>Nalin
>
> > It seems to me that certificates can be created using :
> > /etc/pki/tls/certs/Makefile
> > -------------------------------------------
> > Aaron Konstam
>
> Thank you all for your replies. I was aware of the line:
>
> 'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
> /etc/pki/CA.'
>
> in FC4's Release Notes. However, within the new path, there are many
> files missing that were available in the old path.
>
> Nalin helped to explain some of the missing files by documenting that
> openssl and openssl-perl are seperate packages. That helps to explain
> some of the missing script files.
>
> Before learning this I manually executed all of the commnands I needed
> to create my CA and host certificates and keys using openssl commands,
> which are easier to use, in my opinion, than the perl scripts that exist
> to help in these steps. But, that's just a matter of opinion, and I
> understand that there are a number of scripts that perform very
> convenient file conversion, that I may find myself reaching for sometime
> in the future.
>
> For the moment, I've skipped installing the openssl-perl package, just
> to keep life as simple as possible (less to learn, secure, and just deal
> with!).
>
> The Makefile is also very helpful for at least creating a pem styled csr
> (make certreq).
>
> However, this is where the remaining missing files and directories come
> into play. I want to sign my newly minted request with my own CA cert,
> but I am getting errors having to do with the configuration of
> openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
> section of the configuration file. The first attribute 'dir', has a
> value of '../../CA', which seems faulty to me. Worse, a few lines later,
> the 'crl_dir', 'serial', 'crl' and a number of other attributes have
> values that point to directories and files that simply DO NOT EXIST!
>
> I have attempted to create some of the missing directories, which gets
> me past the first few errors when executing:
>
> openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
> www.domainname.com.pem -infiles www.domainname.com.request.pem
>
> but, eventually I get to errors relating to the missing files (ie.
> index.txt) and I grind to a halt.
>
> Has anyone successfully created CA and signed their own certs using a
> 'default' installation of FC4? Did you have to take any extraordinary
> steps to achieve this?
>
> Thanks everyone for the responses. Sorry this is more involved than it
> first seemed.
>
> Steven Stromer
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

I am waiting with bated breath for the answer.

I had created a certificate manually, with openssl pkcs somethingorother,
which generated the certificate and imported successfully into konqueror,
firefox and mozilla.

This morning, I discovered the makefile in /etc/pki/certs and tried make
certificatename.pem and that worked also.

I have placed these certificates into every directory I can think of in the
/etc/pki tree, as well as having imported them into the aforementioned
programs.

I am unable to use these certificates to sign a document in open office,
however.

As for your problem, I cannotoffer any more information, but I feel that the
solutions are allied.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20051104/16b7c089/attachment-0002.html