Software
Articles
qmail
Window Maker
Cfengine
No Machine
UNIX profile
Rants
Blog
3D
Photos
OpenSSL
CV
Contact

OpenSSL notes

Default mod_ssl installed viz:

First we installed openssl-0.9.6
Then we configured mod_ssl-2.6.6 with
  ./configure --with-apache=../apache-1.3.12 --with-ssl=../openssl-0.9.6
Next we go into the apache source tree and do
  SSL_BASE="/usr/src/openssl-0.9.6" ./config.status --enable-module=ssl
Check --prefix and php stuff was carried over...

Make /opt/apache/certificates and wrote ssl.conf from SSL config directives, 
wrapped in 

Need to add -DSSL to apache startup line in /sys/supervise and, if 
upgrading from non-SSL, copy SSL config directives from example 
config.

Virtualhosts with a.b.c.d:80 definitions need to add "SSLEngine off" 
to prevent error about trying to reinitialise it.

Add "SSLVerifyClient none" to allow all clients to connect.  We 
probably want this :-)

================================================================================

Making a self-signed certificate
--------------------------------
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cp server.key conf/ssl.key
cp server.crt conf/ssl.crt

When making the certificate we are asked for a passphrase.  This is requested 
at startup.  To avoid having to enter the passphrase we have script that 
provides it.  This script is /sys/provide_ssl_passphrase and is readable only 
by root.  All it need do is print the passphrase to stdout.

Making a certificate signed by admin
------------------------------------
On admin, copy self-signed .crt and .key files to /etc/ssl/certs, renamed to 
ca.cert and ca.key.
Copy sign.sh from mod_ssl tarball to /etc/ssl/certs.

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
./sign.sh server.csr

Now copy server.crt and server.key to /opt/apache/certificates on web server.

Importing a root certficate into browsers
-----------------------------------------
On the CA machine:

openssl x509 -in /etc/ssl/certs/ca.crt -outform der > /etc/ssl/certs/ca.der

Serve the ca.der file with MIME type application/x-x509-ca-cert.

Importing a root certificate into konqueror
-------------------------------------------
On the CA machine:

openssl x509 -in /etc/ssl/certs/ca.crt -text

Append the resultant output to /opt/kde/share/apps/kssl/caroot/ca-bundle.crt 
or ~/.kde/share/apps/kssl/caroot/ca-bundle.crt, followed by a blank line.