On Sun, 2009-11-15 at 23:05 -0800, sieger007@xxxxxxxxx wrote:I assume you did the following:
> Hello Friends
>
>
> I'm trying to figure out why I cannot install a SSL certificate that
> I'd been given. Using openssl, I looked at the key file that was
> generated by openssl, and the corresponding certificate file that was
> returned by the CA.
1) Generate a key:
$ openssl genrsa -out www.example.com-key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
....+++
e is 65537 (0x10001)
2) Generate a Certificate Sigining Request (CSR):
$ openssl req -new -key www.example.com-key -out
www.example.com-csr
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Greater London
Locality Name (eg, city) [Newbury]:London
Organization Name (eg, company) [My Company Ltd]:Acme Websites
Ltd.
Organizational Unit Name (eg, section) []: <Leave blank>
Common Name (eg, your name or your server's hostname)
[]:www.example.com
Email Address []: <Leave blank>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <Leave blank>
An optional company name []: <Leave blank>
3) Buy a certificate:
Go to www.verisign.com (or wherever) and buy a certificate.
Upload the CSR file you generated when they ask for it.
Download the Certificate when they let you.
4) Setup an SSL Vhost:
<VirtualHost 0.0.0.0:443>
ServerName "www.example.com"
SSLEngine on
SSLCertificateFile "/etc/httpd/conf/ssl/www.example.com-cert"
SSLCertificateKeyFile "/etc/httpd/conf/ssl/www.example.com-key"
...
</VirtualHost>
If you are running SELinux, ensure the context is correct.
Ensure both files are mode 400 and owned by root.
This should be all you need to do, aside from any other mod_ssl
configuration you need.
Mark.
--
Mark Watts BSc RHCE MBCS
Senior Systems Engineer, Managed Services Manpower
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
GPG Key: http://www.linux-corner.info/mwatts.gpg