 | | | How to properly install and configure mod_ssl on RHEL 4? | How to properly install and configure mod_ssl on RHEL 4? 2005-05-04 - By Mike Kercher
Back
-- --Original Message-- --
From: taroon-list-bounces@(protected) [mailto:taroon-list-bounces@(protected)]
On Behalf Of John Haxby
Sent: Wednesday, May 04, 2005 9:14 AM
To: Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: How to properly install and configure mod_ssl on RHEL 4?
Olaf Greve wrote:
> ...indicated that something was amiss with the CA certificate.
>
> Yesterday evening it already dawned on me that I think it's necessary
> to purchase a certificate (from companies such as Verisign). If so,
> then I guess that's the missing link.
It's not necessary to buy a certificate (although it may be
desirable). In fact, it's not actually necessary to do anything at
all. If you've installed mod_ssl (and it installs by default anyway)
then connecting to https://localhost with, say, firefox will work just fine.
Having said that you'll get dialog boxes popping up telling you that the
certificate isn't signed by a trusted authority and that it doesn' match
the host you're connecting to. That's because the certificate is
self-signed and is for "localhost.localdomain". A proper certificate
comes from Verisign or similar and will cost you money -- the last one I
bought was ?350, but that was a few years ago. For most purposes you
can get by with a self-signed certificate. As it happens, I've just
had to do this for an FC3 machine, but RHEL4 is the same.
This is an out-of-the-box installation, I didn't have to edit any
configuration files. I didn't explicitly select mod_ssl for installation
either.
With firefox, the first dialog box that pops up starts "Unable to verify
the identity of localhost.localdomain as a trusted site." It goes on
to offer some resonable causes and lets me accep the certificate
temporarily. Having done that I get another dialogue box saying that
the machine I'm connecting to doesn't match the name on the certificate
(that is, localhost.localdomain) and lets me see the certificate and
also lets me continue. The certificate is the one that installs by
default and it's issued to localhost.localdomain, in SomeOrganisation
and signed by the issuer. It was issued on 1-May-2005 which is when I
installed the server.
To get the self-signed certificate:
make -C/usr/share/ssl/certs testcert or
make -C/etc/httpd/conf testcert
(The Makefile in /etc/httpd/conf is a symbolic link to the other one.)
If you're not root you'll get an error, if you are it'll tell you
there's nothing to do. You need to remove the certificate, but not the
key (if I'm not mistaken, the make rule for generating the key will want a
passphrase which will mean that you'll need to type the passphrase in every
time you restart apache). so, delete /etc/httpd/conf/ssl.crt/server.crt (or
at least move out of the way) and re-run the make command and then restart
httpd. If you reload the page in firefox now you'll only get the first
dialog box and you should accept the certificate permanently (having first
checked that it matches what you've just generated). I don't need to tell
you that you should make sure that the hostname in the certificate matches
the hostname you connect to and that it should be the FQDN.
If, in a year's time you need to renew the certificate you'll need to change
the serial number (unless you change some of the other details).
You'll need to edit the Makefile to do this (or run the openssl req
command directly) to add a "-set_serial 1" parameter. You won't
remember that, but you might remember to do a "man req" and look it up
yourself.
As another poster said, "make -C/etc/httpd/conf certreq" will generate the
certificate request you'll need for a real certificate. When I went through
this with Verisign they were quite picky about what you actually put in the
certificate fields so you'll need to read their web site (or
the web site of their local representative, in my case, it's BT). And
it takes a couple of weeks from start to finish, so a self-signed
certificate is a good thing to get you going anyway.
Most software can be persuaded to accept a self-signed certificate. The
various browsers, including curl, can be so persuaded. Java can as
well. It depends on how much you want to make life easy compared to
how much you're prepared to spend money :-) It would be nice to be able to
get cheap (or even free) certificates for home servers and the like.
jch
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
============================================================================
======
An SSL cert from http://www.rapidssl.com/index_ssl.htm is much cheaper that
350
Mike
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|