Re: Creating a self-signed CA cert

From: Steven Stromer (filter_at_stevenstromer.com)
Date: 11/04/05

  • Next message: akonstam_at_trinity.edu: "Re: [FC4] Audio no longer works after upgrade from FC 1"
    To: fedora-list@redhat.com
    Date: Thu, 03 Nov 2005 19:20:03 -0500
    
    

    >>>I want
    >>>to create a self-signed CA cert, which is most easily achieved using the
    >>>ca.pl script. This is no longer anywhere to be found, along with the
    >>>demoCA folder that one would normally expect to find. Can anyone shed
    >>>some light on where these files ended up? I can't find them on a search.

    >>The perl script is in the openssl-perl package. The original split was
    >>needed to keep the openssl package from depending on perl, which isn't
    >>part of the "Base" package component/group.
    >>
    >>It looks like the generated data files would now be placed in /etc/CA,
    >>but of course that's configurable in openssl.cnf.
    >>
    >>HTH,
    >>
    >>Nalin

    > It seems to me that certificates can be created using :
    > /etc/pki/tls/certs/Makefile
    > -------------------------------------------
    > Aaron Konstam

    Thank you all for your replies. I was aware of the line:

    'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
    /etc/pki/CA.'

    in FC4's Release Notes. However, within the new path, there are many
    files missing that were available in the old path.

    Nalin helped to explain some of the missing files by documenting that
    openssl and openssl-perl are seperate packages. That helps to explain
    some of the missing script files.

    Before learning this I manually executed all of the commnands I needed
    to create my CA and host certificates and keys using openssl commands,
    which are easier to use, in my opinion, than the perl scripts that exist
    to help in these steps. But, that's just a matter of opinion, and I
    understand that there are a number of scripts that perform very
    convenient file conversion, that I may find myself reaching for sometime
    in the future.

    For the moment, I've skipped installing the openssl-perl package, just
    to keep life as simple as possible (less to learn, secure, and just deal
    with!).

    The Makefile is also very helpful for at least creating a pem styled csr
    (make certreq).

    However, this is where the remaining missing files and directories come
    into play. I want to sign my newly minted request with my own CA cert,
    but I am getting errors having to do with the configuration of
    openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
    section of the configuration file. The first attribute 'dir', has a
    value of '../../CA', which seems faulty to me. Worse, a few lines later,
    the 'crl_dir', 'serial', 'crl' and a number of other attributes have
    values that point to directories and files that simply DO NOT EXIST!

    I have attempted to create some of the missing directories, which gets
    me past the first few errors when executing:

    openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
    www.domainname.com.pem -infiles www.domainname.com.request.pem

    but, eventually I get to errors relating to the missing files (ie.
    index.txt) and I grind to a halt.

    Has anyone successfully created CA and signed their own certs using a
    'default' installation of FC4? Did you have to take any extraordinary
    steps to achieve this?

    Thanks everyone for the responses. Sorry this is more involved than it
    first seemed.

    Steven Stromer

    -- 
    fedora-list mailing list
    fedora-list@redhat.com
    To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
    

  • Next message: akonstam_at_trinity.edu: "Re: [FC4] Audio no longer works after upgrade from FC 1"