Re: Creating a self-signed CA cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/5/05, Steven Stromer <filter@xxxxxxxxxxxxxxxxx> wrote:
kwhiskers wrote:
>
>
> On 03/11/05, *Steven Stromer* <filter@xxxxxxxxxxxxxxxxx
> <mailto:filter@xxxxxxxxxxxxxxxxx >> wrote:
>
>      >>>I want
>      >>>to create a self-signed CA cert, which is most easily achieved
>     using the
>      >>>ca.pl script. This is no longer anywhere to be found, along with the
>      >>>demoCA folder that one would normally expect to find. Can anyone
>     shed
>      >>>some light on where these files ended up? I can't find them on a
>     search.
>
>      >>The perl script is in the openssl-perl package.  The original
>     split was
>      >>needed to keep the openssl package from depending on perl, which
>     isn't
>      >>part of the "Base" package component/group.
>      >>
>      >>It looks like the generated data files would now be placed in
>     /etc/CA,
>      >>but of course that's configurable in openssl.cnf.
>      >>
>      >>HTH,
>      >>
>      >>Nalin
>
>      > It seems to me that certificates can be created using :
>      > /etc/pki/tls/certs/Makefile
>      > -------------------------------------------
>      > Aaron Konstam
>
>     Thank you all for your replies. I was aware of the line:
>
>     'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
>     /etc/pki/CA.'
>
>     in FC4's Release Notes. However, within the new path, there are many
>     files missing that were available in the old path.
>
>     Nalin helped to explain some of the missing files by documenting that
>     openssl and openssl-perl are seperate packages. That helps to explain
>     some of the missing script files.
>
>     Before learning this I manually executed all of the commnands I needed
>     to create my CA and host certificates and keys using openssl commands,
>     which are easier to use, in my opinion, than the perl scripts that
>     exist
>     to help in these steps. But, that's just a matter of opinion, and I
>     understand that there are a number of scripts that perform very
>     convenient file conversion, that I may find myself reaching for sometime
>     in the future.
>
>     For the moment, I've skipped installing the openssl-perl package, just
>     to keep life as simple as possible (less to learn, secure, and just deal
>     with!).
>
>     The Makefile is also very helpful for at least creating a pem styled
>     csr
>     (make certreq).
>
>     However, this is where the remaining missing files and directories come
>     into play. I want to sign my newly minted request with my own CA cert,
>     but I am getting errors having to do with the configuration of
>     openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
>     section of the configuration file. The first attribute 'dir', has a
>     value of '../../CA', which seems faulty to me. Worse, a few lines
>     later,
>     the 'crl_dir', 'serial', 'crl' and a number of other attributes have
>     values that point to directories and files that simply DO NOT EXIST!
>
>     I have attempted to create some of the missing directories, which gets
>     me past the first few errors when executing:
>
>     openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
>     www.domainname.com.pem -infiles www.domainname.com.request.pem
>
>     but, eventually I get to errors relating to the missing files (ie.
>     index.txt) and I grind to a halt.
>
>     Has anyone successfully created CA and signed their own certs using a
>     'default' installation of FC4? Did you have to take any extraordinary
>     steps to achieve this?
>
>     Thanks everyone for the responses. Sorry this is more involved than it
>     first seemed.
>
>     Steven Stromer
>
>     --
>     fedora-list mailing list
>     fedora-list@xxxxxxxxxx <mailto: fedora-list@xxxxxxxxxx>
>     To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>
> I am waiting with bated breath for the answer.
>
> I had created a certificate manually, with openssl pkcs
> somethingorother, which generated the certificate and imported
> successfully into konqueror, firefox and mozilla.
>
> This morning, I discovered the makefile in /etc/pki/certs and tried make
> certificatename.pem and that worked also.
>
> I have placed these certificates into every directory I can think of in
> the /etc/pki tree, as well as having imported them into the
> aforementioned programs.
>
> I am unable to use these certificates to sign a document in open office,
> however.
>
> As for your problem, I cannotoffer any more information, but I feel that
> the solutions are allied.
>

It would seem that signing a certificate should be a fairly
straightforward, and common action; al least common enough for some list
readers to be able to say 'yes, I can do this without a problem in FC4',
or 'no, I'm experiencing the same problems'. I am becoming more and more
convinced that this is an issue of misconfiguration of the present
openssl package, which might warrant a bug listing. There is some
interesting, and very good, documentation on openssl.cfg at:

http://www.technoids.org/openssl.cnf.html

It has helped me to understand better what is failing to work, some of
which I described in an earlier posting in this thread. There are now a
few people needing help here! Any brains in shining armor around?

Thanks again!

Steven Stromer


You have the most knowledge regarding this problem.  Don't ask others to battle for you. Pick up the gauntlet. File the bug report.  Be your own knight!

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux