Creating a self-signed CA cert

Steven Stromer filter at stevenstromer.com
Sat Nov 5 18:01:06 UTC 2005 

kwhiskers wrote:
> 
> 
> On 03/11/05, *Steven Stromer* <filter at stevenstromer.com 
> <mailto:filter at stevenstromer.com>> wrote:
> 
>      >>>I want
>      >>>to create a self-signed CA cert, which is most easily achieved
>     using the
>      >>>ca.pl script. This is no longer anywhere to be found, along with the
>      >>>demoCA folder that one would normally expect to find. Can anyone
>     shed
>      >>>some light on where these files ended up? I can't find them on a
>     search.
> 
>      >>The perl script is in the openssl-perl package.  The original
>     split was
>      >>needed to keep the openssl package from depending on perl, which
>     isn't
>      >>part of the "Base" package component/group.
>      >>
>      >>It looks like the generated data files would now be placed in
>     /etc/CA,
>      >>but of course that's configurable in openssl.cnf.
>      >>
>      >>HTH,
>      >>
>      >>Nalin
> 
>      > It seems to me that certificates can be created using :
>      > /etc/pki/tls/certs/Makefile
>      > -------------------------------------------
>      > Aaron Konstam
> 
>     Thank you all for your replies. I was aware of the line:
> 
>     'OpenSSL: the /usr/share/ssl contents have moved to /etc/pki/tls and
>     /etc/pki/CA.'
> 
>     in FC4's Release Notes. However, within the new path, there are many
>     files missing that were available in the old path.
> 
>     Nalin helped to explain some of the missing files by documenting that
>     openssl and openssl-perl are seperate packages. That helps to explain
>     some of the missing script files.
> 
>     Before learning this I manually executed all of the commnands I needed
>     to create my CA and host certificates and keys using openssl commands,
>     which are easier to use, in my opinion, than the perl scripts that
>     exist
>     to help in these steps. But, that's just a matter of opinion, and I
>     understand that there are a number of scripts that perform very
>     convenient file conversion, that I may find myself reaching for sometime
>     in the future.
> 
>     For the moment, I've skipped installing the openssl-perl package, just
>     to keep life as simple as possible (less to learn, secure, and just deal
>     with!).
> 
>     The Makefile is also very helpful for at least creating a pem styled
>     csr
>     (make certreq).
> 
>     However, this is where the remaining missing files and directories come
>     into play. I want to sign my newly minted request with my own CA cert,
>     but I am getting errors having to do with the configuration of
>     openssl.cnf. There seem to be a number of 'mistakes' in the CA_default
>     section of the configuration file. The first attribute 'dir', has a
>     value of '../../CA', which seems faulty to me. Worse, a few lines
>     later,
>     the 'crl_dir', 'serial', 'crl' and a number of other attributes have
>     values that point to directories and files that simply DO NOT EXIST!
> 
>     I have attempted to create some of the missing directories, which gets
>     me past the first few errors when executing:
> 
>     openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out
>     www.domainname.com.pem -infiles www.domainname.com.request.pem
> 
>     but, eventually I get to errors relating to the missing files (ie.
>     index.txt) and I grind to a halt.
> 
>     Has anyone successfully created CA and signed their own certs using a
>     'default' installation of FC4? Did you have to take any extraordinary
>     steps to achieve this?
> 
>     Thanks everyone for the responses. Sorry this is more involved than it
>     first seemed.
> 
>     Steven Stromer
> 
>     --
>     fedora-list mailing list
>     fedora-list at redhat.com <mailto:fedora-list at redhat.com>
>     To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> 
> 
> I am waiting with bated breath for the answer.
> 
> I had created a certificate manually, with openssl pkcs 
> somethingorother, which generated the certificate and imported 
> successfully into konqueror, firefox and mozilla.
> 
> This morning, I discovered the makefile in /etc/pki/certs and tried make 
> certificatename.pem and that worked also.
> 
> I have placed these certificates into every directory I can think of in 
> the /etc/pki tree, as well as having imported them into the 
> aforementioned programs.
> 
> I am unable to use these certificates to sign a document in open office, 
> however.
> 
> As for your problem, I cannotoffer any more information, but I feel that 
> the solutions are allied.
> 

It would seem that signing a certificate should be a fairly 
straightforward, and common action; al least common enough for some list 
readers to be able to say 'yes, I can do this without a problem in FC4', 
or 'no, I'm experiencing the same problems'. I am becoming more and more 
convinced that this is an issue of misconfiguration of the present 
openssl package, which might warrant a bug listing. There is some 
interesting, and very good, documentation on openssl.cfg at:

http://www.technoids.org/openssl.cnf.html

It has helped me to understand better what is failing to work, some of 
which I described in an earlier posting in this thread. There are now a 
few people needing help here! Any brains in shining armor around?

Thanks again!

Steven Stromer

More information about the fedora-list mailing list