[Snort-users] certificate verify error

Erick Mechler emechler at ...7719...
Wed Apr 9 12:10:07 EDT 2003


:: I think I am just going to start again with these certificates and
:: create some more...
:: 
:: So, If I can just verify what I need to do:
:: 
:: /usr/bin/openssl genrsa -out ssl.key 1024
:: 
:: to generate a private key, and then:
:: 
:: /usr/bin/openssl req -new -x509 -days 365 -key ssl.key -out ssl.cert
:: 
:: to generate a certificate using the key.

You can do this all on one line (ie, generate a self-signed certificate) by 
just doing this:

  openssl req -x509 -new -days 365 -outform PEM -nodes -out cert.pem

If you want to have your certificate encrypted (such that you need a
password to startup Apache with -DSSL) then remove the -nodes option.  
This will put your certificate into cert.pem, and your private key into
privkey.pem.

:: and then where is the best place to put ssl.key and ssl.cert?
:: (my apache httpd.conf is in /etc/httpd/conf/)

Your certificate file should go into /etc/httpd/conf/ssl.crt/server.pem,
and the key should go into /etc/httpd/conf/ssl.key/server.key.  The ssl.crt
directory should be perms 755, and the ssl.key directory should be 700.  
When in doubt, jut follow the examples in the sample httpd.conf.

:: Do I also need to generate another file from these two for the
:: SSLCACertificateFile ? 

This is entirely optional.  You really only need this if you want to client 
side certificate authorization, which it doesn't sound like you're doing.

Cheers - Erick




More information about the Snort-users mailing list