On Fri, 15 Jun 2007, M. Fioretti wrote:
1) Run
openssl req \
-x509 -nodes -days 365 \
-subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes,
after placing the right values of C, ST, L, CN, etc... in openssl.cnf,
right?
Right.
Still to be 100% sure of what we are saying: the command above
self-signs keys and certificate and puts both of them in the
mycert.pem file, correct?
Right.
Also, if you're doing this on a private server, you can keep the
cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by
the members of a closed organization (business, charity,
whatever...) but is not used as an ISP to the public", right?
Right. I use "private" in the sense of "I trust that users with login
privileges to this machine won't abuse it or intentionally try to
access data that's off-limits to them."
I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Yes.
Sorry for the repeated questions, but I must say that ssl is one of
the fields where the available docs are less clear to
non-professionals. It seems to take a lot of effort to just figure
out which are the right questions to ask...
I agree whole-heartedly. Building and maintaining an infrastructure to
support SSL-enabled applications is a daunting task, and quite
different from learning SSL programming or theory. Anyone looking to
write for O'Reilly could probably pitch such a title! :-)
--
Paul Heinlein <> heinlein@xxxxxxxxxx <> www.madboa.com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
