Date: Sun, 07 May 2000 15:47:34 -0700 From: Doug Barton <DougB@gorean.org> To: Steve Price <sprice@hiwaay.net> Cc: Kris Kennaway <kris@FreeBSD.org>, Forrest Aldrich <forrie@navipath.com>, current@FreeBSD.org Subject: Re: RSA decrypt problems Message-ID: <3915F286.6DD0067@gorean.org> References: <Pine.OSF.4.21.0005071654270.24280-100000@fly.HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Price wrote: > > On Sun, 7 May 2000, Doug Barton wrote: > > # Ok, here are some silly questions. Did you create a private key for > # this server, did you encrypt your cert with it, and is that .key file > # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what > # you're looking for. http://www.modssl.org/related/ has some really good > # resources for this, and their FAQ has step by step instructions for > # creating and testing keys and certs that may help you track down where > # in the process it's getting lost. > > I did create a key for my server with the following command > > ssh-keygen -f /etc/ssh/ssh_host_key ERrr... that's for ssh only. > I didn't encrypt a cert with it. This is on a test box and > up until a few days ago the only steps I ever had to take > were to install one of the apache13-*ssl ports, crank up apache, > and it just worked. Of course this could be where I've gone > astray, as it appears this no longer works. :) I'm not familiar with those ports, so I can't speak intelligently about them, however I've looked over the mod_ssl stuff, and they have pre-configured a whole certificate authority chain with the snake oil stuff so that you can test your installation of the binary(ies). However, that does you a disservice down the road when you have to do it for real. > # Also, did you install the openssl port, or are you using the openssl > # that is part of the base in 4.0+? I vaguely remember you saying that you > # were using the port. If so, cd to /usr/local/openssl and cp > # openssl.cnf.sample to openssl.cnf. > > I'm not using the port. I'm using the bits that come with > -current (and 4.0 on another box). At Kris' suggestion I > did copy over an /etc/ssl/openssl.cnf file but that didn't > seem to help with the problem I'm having. :( Well, it'll help, but you have to get down the road a bit before you notice how it helps you. :) Take a look at http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 which describes the process of creating real certificates. If this is to be a "real" secure server that will be visible on the internet, you'll want to follow those instructions pretty much to the letter (assuming you're using mod_ssl, or one of its ports). The way x509 works for secure servers is that you first create a "key" that is your server's unique signature. This is similar to the identity files created with ssh-keygen. Then you create a certificate that contains what is essentially your public key (actually a combination of your certificate's public key and your identity key's public part). You sign this certificate with your server's identity key, then send it to a certificate authority (read, "Verisign") which signs the certificate with its public key. Then you install the doubly signed certificate. The client browser is able to use the information in your certificate to A) confirm with the CA that your certificate really came from you, B) encrypt an offer of a session key/cipher for that session, and C) decrypt your acceptance of that offer. I'm oversimplifying this a bit, hopefully you get the idea. There is more info on the web pages I sent in my previous e-mail. HTH, Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3915F286.6DD0067>