LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 10-31-2007, 02:48 PM   #1
xxsubz78x
Member
 
Registered: Sep 2005
Posts: 44

Rep: Reputation: 15
create a new certificate request SSL Debian Linux


I have a Debian Linux server and I need to create a certificate signing request (CSR) to use for SSL. I intend to submit the CSR to a trusted certificate authority on the Internet (i.e. Verisign, Entrust, etc.) I found the following website that walks you thru it.

http://wiki.ev-15.com/debian:mail_system

Start with making a new CA.

# cd /usr/lib/ssl/misc
# ./CA.pl -newca
Answer the questions as they come with reasonable information.
The value for CN (Common Name) should be the hostname of the server that the
certificates will be used on.

Now make the server certificate request.

# ./CA.pl -newreq-nodes

Now sign it

# ./CA.pl -sign

Copy the files to /etc/ssl/certs

# cp newcert.pem /etc/ssl/certs/
# cp newreq.pem /etc/ssl/certs/
# cp demoCA/cacert.pem /etc/ssl/certs/

-----------------------------------------
I created a new ca with the ./CA.pl -newca command. When I was prompted I typed UCAN. Not really sure what that did because it gave me an error message, something about a TRUSTED CERTIFICATE.

I then deleted the CA.pl because i thought that was the new certificate it created. I don't think that was right.

--------------------------------------
Then I was reading thru my Linux bible and I used the following procedure:
#apt-get install openssl
cd /etc/apache2/ssl
openssl genrsa -out server.key 1024
chmod 600 server.key

openssl req -new -key server.key -out server.csr
vi server.csr

-----------------------------------------------

I'm not sure what procedure is correct and if I really screwed something up.

Can somebody help me out with this?

Last edited by xxsubz78x; 10-31-2007 at 02:50 PM.
 
Old 11-01-2007, 10:04 AM   #2
bjagee
Member
 
Registered: Jan 2007
Location: Portland, OR
Distribution: Ubuntu Jaunty / Fedora
Posts: 39

Rep: Reputation: 15
1) The first step is to generate your private key:

Code:
 openssl genrsa -out yourkey.key 1024
2) Then generate the request:

Code:
openssl req -new -key domainname.key -out domainname.csr
There is a more detailed how-to here.
 
Old 11-01-2007, 11:28 AM   #3
xxsubz78x
Member
 
Registered: Sep 2005
Posts: 44

Original Poster
Rep: Reputation: 15
I know, I did that already if you look at the bottom of my post. However, I'm confused on the 1st part of my message.

# cd /usr/lib/ssl/misc
# ./CA.pl -newca


1. Are there 2 different ways of doing this?
2. Did I screw something up by deleting the CA.pl ??
 
Old 11-05-2007, 04:40 PM   #4
bjagee
Member
 
Registered: Jan 2007
Location: Portland, OR
Distribution: Ubuntu Jaunty / Fedora
Posts: 39

Rep: Reputation: 15
Sorry... I see. you derailed by signing it. If you are getting a real cert from Verisign or Digicert or something, then you want to send the request. All of the stuff with the CA.pl is a perl script to create a signing authority, which you don't need. All you want are the two lines I posted, and you send the signing request, which they return to you with a certification.

You only generate a CA if you want to sign your own.
 
Old 11-05-2007, 04:43 PM   #5
xxsubz78x
Member
 
Registered: Sep 2005
Posts: 44

Original Poster
Rep: Reputation: 15
I got the certificate from Entrust. How do I import it?
 
Old 11-06-2007, 12:58 PM   #6
bjagee
Member
 
Registered: Jan 2007
Location: Portland, OR
Distribution: Ubuntu Jaunty / Fedora
Posts: 39

Rep: Reputation: 15
That depends on where you want to use it. You have to tell each service where the certificate, private key, and certificate authority files are, and then enable SSL. The process is different for each server daemon. If you Google SSL + program, there is a howto for just about everything with ssl.

Just make sure you don't lose/overwrite your private key... without it your cert is useless. If you lose it your Entrust money is down the drain.



Cheers
 
Old 11-06-2007, 01:50 PM   #7
xxsubz78x
Member
 
Registered: Sep 2005
Posts: 44

Original Poster
Rep: Reputation: 15
this is for a web server. I believe that's what you're talking about when you say "service". SSL is already enabled I believe because when you go to the website now, it throws a Certificate trust message.

I found this website to help me with the config:
http://www.debianadmin.com/install-a...bian-etch.html

here's my config in the "default" file:

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *>

Output:

webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:49:32 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

webcaf:/etc/apache2/sites-available# apache2ctl configtest
[Tue Nov 06 14:50:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:50:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
--------------------------------------------------------
Config 2

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Output:

webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:51:30 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:51:30 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:51:30 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

webcaf:/etc/apache2/sites-available# apache2ctl configtest
[Tue Nov 06 14:52:10 2007] [error] VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:52:10 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:52:10 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK

-------------------------------------------------------------
Config 3

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:443>

Output:
webcaf:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Forcing reload of web server: Apache2[Tue Nov 06 14:55:23 2007] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts
httpd (pid 13884?) not running
[Tue Nov 06 14:55:23 2007] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:443 has no VirtualHosts
[Tue Nov 06 14:55:23 2007] [warn] NameVirtualHost *:80 has no VirtualHosts

Last edited by xxsubz78x; 11-06-2007 at 04:56 PM. Reason: added more information
 
Old 11-07-2007, 09:50 AM   #8
bjagee
Member
 
Registered: Jan 2007
Location: Portland, OR
Distribution: Ubuntu Jaunty / Fedora
Posts: 39

Rep: Reputation: 15
It looks like you could stand to take a look at the apache config howtos. The NameVirtualHost directive says that you are going to have virtual hosts, but you actually have to put them in the file. I wrote a blog post about running NameVirtualHosts with SSL--it's not a great idea. You can run name based on 80, since the packet doesn't have to handshake before the name, but you will want to run ip based for your SSL (443). You really need to put the entire Virt configurations in before anything can happen though. Take a look at the link from IP-based hosting in that post... it should get you started.
 
Old 12-09-2007, 05:22 PM   #9
xxsubz78x
Member
 
Registered: Sep 2005
Posts: 44

Original Poster
Rep: Reputation: 15
I looked thru your blog post but I'm still confused as to what I'm missing in the configuration. I don't really care how I set this up, I just want it to work.

Last edited by xxsubz78x; 12-09-2007 at 05:24 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL x509: Expecting: CERTIFICATE REQUEST chakkerz Linux - Networking 5 06-10-2010 11:28 AM
LXer: Linux Postfix mail server SSL certificate installations and configuration LXer Syndicated Linux News 0 07-13-2007 10:01 AM
SSL Certificate Manager in Redhat Linux and vsftpd kitlarson Linux - Newbie 0 03-26-2007 10:07 AM
How to create new SSL certificate for apache ?? chuck77 Linux - General 7 05-15-2003 01:16 PM
How do I create a self signed SSL certificate? mongoose Linux - Software 2 04-15-2003 06:46 PM


All times are GMT -5. The time now is 03:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration