Re: Creating a self-signed CA cert

• Previous message: Keith: "Re: How to keep active my lan adapter"
• In reply to: Steven Stromer: "Re: Creating a self-signed CA cert"
• Next in thread: Steven Stromer: "Re: Creating a self-signed CA cert"
• Reply: Steven Stromer: "Re: Creating a self-signed CA cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sat, 5 Nov 2005 13:34:55 -0800
To: filter@stevenstromer.com, For users of Fedora Core releases <fedora-list@redhat.com>

On 11/5/05, Steven Stromer <filter@stevenstromer.com> wrote:
>
> kwhiskers wrote:
> >
> >
> > On 03/11/05, *Steven Stromer* <filter@stevenstromer.com
> > <mailto:filter@stevenstromer.com>> wrote:
> >
> > >>>I want
> > >>>to create a self-signed CA cert, which is most easily achieved
> > using the
> > >>>ca.pl script. This is no longer anywhere to be found, along with the
> > >>>demoCA folder that one would normally expect to find. Can anyone
> > shed
> > >>>some light on where these files ended up? I can't find them on a
> > search.
> >
> > >>The perl script is in the openssl-perl package. The original
> > split was
> > >>needed to keep the openssl package from depending on perl, which
> > isn't
> > >>part of the "Base" package component/group.
> > >>
> > >>It looks like the generated data files would now be placed in
> > /etc/CA,
> > >>but of course that's configurable in openssl.cnf.
> > >>
> > >>HTH,
> > >>
> > >>Nalin
> >
> > > It seems to me that certificates can be created using :
> > > /etc/pki/tls/certs/Makefile
> > > -------------------------------------------
> > > Aaron Konstam
> >
> > Thank you all for your replies. I was aware of the line:
> >
> > 'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
> > /etc/pki/CA.'
> >
> > in FC4's Release Notes. However, within the new path, there are many
> > files missing that were available in the old path.
> >
> > Nalin helped to explain some of the missing files by documenting that
> > openssl and openssl-perl are seperate packages. That helps to explain
> > some of the missing script files.
> >
> > Before learning this I manually executed all of the commnands I needed
> > to create my CA and host certificates and keys using openssl commands,
> > which are easier to use, in my opinion, than the perl scripts that
> > exist
> > to help in these steps. But, that's just a matter of opinion, and I
> > understand that there are a number of scripts that perform very
> > convenient file conversion, that I may find myself reaching for sometime
> > in the future.
> >
> > For the moment, I've skipped installing the openssl-perl package, just
> > to keep life as simple as possible (less to learn, secure, and just deal
> > with!).
> >
> > The Makefile is also very helpful for at least creating a pem styled
> > csr
> > (make certreq).
> >
> > However, this is where the remaining missing files and directories come
> > into play. I want to sign my newly minted request with my own CA cert,
> > but I am getting errors having to do with the configuration of
> > openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
> > section of the configuration file. The first attribute 'dir', has a
> > value of '../../CA', which seems faulty to me. Worse, a few lines
> > later,
> > the 'crl_dir', 'serial', 'crl' and a number of other attributes have
> > values that point to directories and files that simply DO NOT EXIST!
> >
> > I have attempted to create some of the missing directories, which gets
> > me past the first few errors when executing:
> >
> > openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
> > www.domainname.com.pem -infiles www.domainname.com.request.pem
> >
> > but, eventually I get to errors relating to the missing files (ie.
> > index.txt) and I grind to a halt.
> >
> > Has anyone successfully created CA and signed their own certs using a
> > 'default' installation of FC4? Did you have to take any extraordinary
> > steps to achieve this?
> >
> > Thanks everyone for the responses. Sorry this is more involved than it
> > first seemed.
> >
> > Steven Stromer
> >
> > --
> > fedora-list mailing list
> > fedora-list@redhat.com <mailto:fedora-list@redhat.com>
> > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> >
> >
> > I am waiting with bated breath for the answer.
> >
> > I had created a certificate manually, with openssl pkcs
> > somethingorother, which generated the certificate and imported
> > successfully into konqueror, firefox and mozilla.
> >
> > This morning, I discovered the makefile in /etc/pki/certs and tried make
> > certificatename.pem and that worked also.
> >
> > I have placed these certificates into every directory I can think of in
> > the /etc/pki tree, as well as having imported them into the
> > aforementioned programs.
> >
> > I am unable to use these certificates to sign a document in open office,
> > however.
> >
> > As for your problem, I cannotoffer any more information, but I feel that
> > the solutions are allied.
> >
>
> It would seem that signing a certificate should be a fairly
> straightforward, and common action; al least common enough for some list
> readers to be able to say 'yes, I can do this without a problem in FC4',
> or 'no, I'm experiencing the same problems'. I am becoming more and more
> convinced that this is an issue of misconfiguration of the present
> openssl package, which might warrant a bug listing. There is some
> interesting, and very good, documentation on openssl.cfg at:
>
> http://www.technoids.org/openssl.cnf.html
>
> It has helped me to understand better what is failing to work, some of
> which I described in an earlier posting in this thread. There are now a
> few people needing help here! Any brains in shining armor around?
>
> Thanks again!
>
> Steven Stromer
>
>
You have the most knowledge regarding this problem. Don't ask others to
battle for you. Pick up the gauntlet. File the bug report. Be your own
knight!

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Keith: "Re: How to keep active my lan adapter"
• In reply to: Steven Stromer: "Re: Creating a self-signed CA cert"
• Next in thread: Steven Stromer: "Re: Creating a self-signed CA cert"
• Reply: Steven Stromer: "Re: Creating a self-signed CA cert"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]