create a new certificate request SSL Debian Linux

xxsubz78x · 10-31-2007, 02:48 PM

I have a Debian Linux server and I need to create a certificate signing request (CSR) to use for SSL. I intend to submit the CSR to a trusted certificate authority on the Internet (i.e. Verisign, Entrust, etc.) I found the following website that walks you thru it.

http://wiki.ev-15.com/debian:mail_system

Start with making a new CA.

# cd /usr/lib/ssl/misc
# ./CA.pl -newca
Answer the questions as they come with reasonable information.
The value for CN (Common Name) should be the hostname of the server that the
certificates will be used on.

Now make the server certificate request.

# ./CA.pl -newreq-nodes

Now sign it

# ./CA.pl -sign

Copy the files to /etc/ssl/certs

# cp newcert.pem /etc/ssl/certs/
# cp newreq.pem /etc/ssl/certs/
# cp demoCA/cacert.pem /etc/ssl/certs/

-----------------------------------------
I created a new ca with the ./CA.pl -newca command. When I was prompted I typed UCAN. Not really sure what that did because it gave me an error message, something about a TRUSTED CERTIFICATE.

I then deleted the CA.pl because i thought that was the new certificate it created. I don't think that was right.

--------------------------------------
Then I was reading thru my Linux bible and I used the following procedure:
#apt-get install openssl
cd /etc/apache2/ssl
openssl genrsa -out server.key 1024
chmod 600 server.key

openssl req -new -key server.key -out server.csr
vi server.csr

-----------------------------------------------

I'm not sure what procedure is correct and if I really screwed something up.

Can somebody help me out with this?

bjagee · 11-01-2007, 10:04 AM

1) The first step is to generate your private key:

Code:

 openssl genrsa -out yourkey.key 1024

2) Then generate the request:

Code:

openssl req -new -key domainname.key -out domainname.csr

There is a more detailed how-to here.

xxsubz78x · 11-01-2007, 11:28 AM

I know, I did that already if you look at the bottom of my post. However, I'm confused on the 1st part of my message.

# cd /usr/lib/ssl/misc
# ./CA.pl -newca

1. Are there 2 different ways of doing this?
2. Did I screw something up by deleting the CA.pl ??

bjagee · 11-05-2007, 04:40 PM

Sorry... I see. you derailed by signing it. If you are getting a real cert from Verisign or Digicert or something, then you want to send the request. All of the stuff with the CA.pl is a perl script to create a signing authority, which you don't need. All you want are the two lines I posted, and you send the signing request, which they return to you with a certification.

You only generate a CA if you want to sign your own.

xxsubz78x · 11-05-2007, 04:43 PM

I got the certificate from Entrust. How do I import it?

bjagee · 11-06-2007, 12:58 PM

That depends on where you want to use it. You have to tell each service where the certificate, private key, and certificate authority files are, and then enable SSL. The process is different for each server daemon. If you Google SSL + program, there is a howto for just about everything with ssl.

Just make sure you don't lose/overwrite your private key... without it your cert is useless. If you lose it your Entrust money is down the drain.

Cheers

xxsubz78x · 11-06-2007, 01:50 PM

this is for a web server. I believe that's what you're talking about when you say "service". SSL is already enabled I believe because when you go to the website now, it throws a Certificate trust message.

I found this website to help me with the config:
http://www.debianadmin.com/install-a...bian-etch.html

here's my config in the "default" file:

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *>

Output:

webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

webcaf:/etc/apache2/sites-available# apache2ctl configtest
[Tue Nov 06 14:50:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:50:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
--------------------------------------------------------
Config 2

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Output:

webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:51:30 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:51:30 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

webcaf:/etc/apache2/sites-available# apache2ctl configtest
[Tue Nov 06 14:52:10 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:52:10 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:52:10 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK

-------------------------------------------------------------
Config 3

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>

Output:
webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:55:23 2007] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:55:23 2007] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

bjagee · 11-07-2007, 09:50 AM

It looks like you could stand to take a look at the apache config howtos. The NameVirtualHost directive says that you are going to have virtual hosts, but you actually have to put them in the file. I wrote a blog post about running NameVirtualHosts with SSL--it's not a great idea. You can run name based on 80, since the packet doesn't have to handshake before the name, but you will want to run ip based for your SSL (443). You really need to put the entire Virt configurations in before anything can happen though. Take a look at the link from IP-based hosting in that post... it should get you started.

xxsubz78x · 12-09-2007, 05:22 PM

I looked thru your blog post but I'm still confused as to what I'm missing in the configuration. I don't really care how I set this up, I just want it to work.