|
|
This is a fairly large and complicated topic. You are STRONGLY
ENCOURAGED to read about it in detail in the Mod_ssl manual,
Chapter 2 Introduction and Chapter 6 FAQ List either at
http://www.modssl.org/docs/2.4/ or the copy that comes with your
HP WebWise MPE/iX Secure Web Server
(/APACHE/SECURE/htdocs/manual/mod/mod_ssl/ssl_intro.html and
ssl_faq.html) and is accessible from the default home page.
Secure web servers require a unique private key and a unique
server certificate in order to establish secure encrypted communication
sessions. This software includes a default private key and server
certificate so that you can immediately start the server and begin testing.
But because the supplied private key and server certificate are
not unique, they are NOT SECURE AND MUST NOT BE USED FOR
PRODUCTION PURPOSES!
You must generate your own private key and either obtain or
create your own server certificate in order to be secure. Keys and
certificates contain extremely sensitive data and must be tightly
controlled to prevent unauthorized access.
Before starting any key or certificate management you should first log on as
MGR.APACHE and make sure that all configuration files and directories
are owned by MGR.APACHE:
:HELLO MGR.APACHE,SECURE
:XEQ SH.HPBIN.SYS -L
$ export PATH=/APACHE/SECURE/bin:$PATH
$ chown -R MGR.APACHE conf
If you wish to start testing with the default non-secure key
and certificate, perform the following steps below, and then skip
ahead to "Starting the Web Server":
$ cp conf/ssl.crt/server.crt.sample
conf/ssl.crt/server.crt
$ cp conf/ssl.key/server.key.sample
conf/ssl.key/server.key
Your private key is an EXTREMELY sensitive
and confidential piece of information. Anybody who obtains
your private key will be able to impersonate you. If you should
ever lose your private key or have it stolen, your only recourse
is to create a new private key and do a better job of protecting it.
Appropriate filesystem security is essential for the file which contains your
private key. MGR.APACHE should be the owner of the key file, and the
owner is the only user that should have any kind of access. MGR.APACHE
should also be the owner of the directory in which the key file resides, and
nobody besides the owner should have access to the directory.
For extra added security, it is recommended that you encrypt
your server key with a pass phrase that is stored separately from
the key. If you use a pass phrase, this will need to be supplied
to the web server at start up time, either by inserting it directly
into the /APACHE/SECURE/JHTTPDS job stream after the command
that invokes HTTPDS (caution — the pass phrase will be in plain text
in the JHTTPDS job stream, so you'll need to protect the job stream too),
or by writing a special script or program that HTTPDS will invoke to obtain the
pass phrase. See the mod_ssl SSLPassPhraseDialog configuration
directive documentation for details.
Key generation uses a random number generator which in order to be portable
uses a rather simple random seed consisting of the current time, process ID,
and some memory buffer contents. To increase the randomness for the initial
random number, you should use the openssl -rand
parameter to specify a file that contains possibly random data but definitely
data that is unique to your machine. For example, because machines have
different patches applied at different times, /SYS/PUB/HPSWINFO might
be suitable as a -rand file containing unique data that will
only exist on this one machine.
To create your private server key:
$ cd conf/ssl.key
$ openssl genrsa -rand /SYS/PUB/HPSWINFO -des3 -out server.key 1024
unable to load 'random state'
28199 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
................+++++
.................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:********
Verifying password - Enter PEM pass phrase:********
$ openssl rsa -noout -text -in server.key
(displays the details of your newly created server key)
read RSA private key
Enter PEM pass phrase:********
Private-Key: (1024 bit)
modulus:
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
publicExponent: 65537 (0x10001)
privateExponent:
00:ae:e8:8a:47:6a:99:49:a4:a4:df:4a:0c:0b:bf:
c0:ca:b1:25:89:65:fc:3b:14:f1:3e:29:68:34:f1:
4c:07:32:7d:04:32:cf:cc:c4:31:5b:ae:4b:ca:37:
aa:5b:d3:50:7c:01:b9:62:96:7a:a3:a7:2d:9e:fe:
ff:a5:c4:20:40:3e:ea:02:05:fa:9e:00:d6:a9:59:
e0:46:13:ef:9a:ef:64:d1:8a:bd:e6:2b:82:06:c9:
da:8b:15:e9:b8:fa:eb:a0:13:6c:94:ca:10:9c:dc:
2a:59:f8:fc:c7:2d:e0:69:cb:5b:a5:32:ec:d2:56:
e2:0f:b0:c5:39:b8:50:5b:f1
prime1:
00:fa:06:99:8b:68:55:5b:a8:ff:25:5a:f5:82:26:
4c:73:2d:a0:70:75:e6:72:2c:25:70:22:49:5d:1a:
96:0e:32:ce:4f:d9:7f:31:94:2c:62:8b:02:3c:c8:
8f:4f:04:58:5b:6a:c0:66:fe:a1:d1:35:21:0e:c1:
bb:4d:66:a7:83
prime2:
00:d7:df:d2:7e:68:7f:5c:04:fe:08:64:48:2e:ee:
b5:8a:06:40:55:38:14:b4:f1:86:04:5b:98:78:77:
cf:ab:c8:97:b4:e5:e7:ca:30:b5:8e:4d:93:23:7b:
41:66:c7:29:8e:d4:f9:8a:0d:61:27:c3:36:b8:26:
26:1e:bb:4e:f9
exponent1:
00:80:ed:d4:51:da:1c:62:26:d4:63:6b:f3:3c:09:
09:d5:3f:0b:03:d3:18:61:79:b8:58:89:a5:b1:38:
1b:76:f8:e6:00:b1:14:70:f9:8a:a5:ca:2e:fe:2f:
22:0f:4a:1b:52:10:cb:64:91:1b:da:a8:fe:02:01:
0e:d8:0b:fe:87
exponent2:
00:b0:5f:9d:52:4c:3c:6a:49:65:e8:23:4e:da:91:
8b:df:36:56:4f:8a:1f:58:ea:d0:2d:35:4c:f0:78:
2b:43:56:03:a4:f8:06:16:2b:0f:db:31:44:5b:43:
f3:de:6e:30:65:13:5a:c2:51:46:24:bf:99:30:81:
72:b9:bf:1d:b9
coefficient:
45:06:9e:13:e6:a9:2a:eb:5a:e0:99:65:43:88:85:
ed:e2:64:ee:e7:75:99:6e:c3:25:69:36:d5:14:3a:
e1:20:60:04:a0:44:c0:8e:55:cd:bf:8a:18:97:aa:
f7:f9:43:81:db:16:ea:c9:e2:1e:68:a9:f2:56:63:
2e:8f:56:60
$ chmod 400 server.key
Next you need to use your private server key to create a CSR which
identifies your company and your web server. This is the same identity
that will be presented to your web browser users, so choose carefully.
When openssl prompts you to enter a value for "Common Name (e.g., YOUR
name)", you need to enter the fully qualified domain name (FQDN) of your
web server. For example, if you want people to access your web server via a URL
prefix of https://www.yourcompanyhere.com, you would enter
www.yourcompanyhere.com in response to this prompt. When
openssl prompts you for the 'extra' attributes to be sent with your
certificate request, leave them blank.
To create your CSR:
$ cd ../ssl.csr
$ openssl req -new -key ../ssl.key/server.key -out server.csr
Using configuration from /APACHE/SECURE/ssl/openssl.cnf
Enter PEM pass phrase:********
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:www.mycompany.com
Email Address []:webmaster@www.mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl req -noout -text -in server.csr (displays
the details of your newly created server CSR)
Using configuration from /APACHE/SECURE/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=My State, L=My City, O=My Company,
OU=My Org, CN=www.mycompany.com/
Email=webmaster@www.mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
8f:5b:d3:45:ae:52:6a:66:36:23:09:0b:b9:d1:5c:2b:52:12:
00:98:78:97:39:5b:9d:f6:9f:82:b2:2c:3f:24:bb:e0:f0:47:
19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3:
eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13:
9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55:
f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1:
c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65:
38:ba
$ chmod 400 server.csr
You're now ready to have your CSR signed by a Certificate
Authority (CA). This results in the creation of a server
certificate. You have two options — you can either have an external
trusted CA sign your CSR, or you can create your own CA and use it to sign your
CSR. Choose one of these options which are explained in detail.
All web browsers come preconfigured with a list of trusted
CAs. Certificates signed by these trusted CAs will in turn be trusted
by the browsers. If your certificate is signed by a CA unrecognized
by the browser, each browser user will get a warning dialog window
each time they visit your web site. So if you're doing
an Internet e-commerce application where you have no control over
the customer's browser configuration, you will want to
obtain your certificate from one of the default trusted CAs recognized
by all browsers.
There are many trusted CAs; VeriSign (www.verisign.com) and
Equifax (www.equifaxsecure.com) are just two examples. By using
your browser's security-related features, you can list all of the CAs trusted
by that particular browser.
You can either purchase a real certificate at this point,
or alternatively you can usually obtain a free test certificate
good for a limited time. In either case, the process is the same. You
typically visit the CA's web site and submit a web registration
form that includes a cut/paste of your CSR, and then the CA e-mails
the resulting certificate to you.
You need to cut/paste your CSR in its raw PEM format, which looks like
this if you display the contents of the conf/ssl.csr/server.csr file:
-----BEGIN CERTIFICATE REQUEST-----
MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ
MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG
TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ
ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb
H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy
+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB
oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf
grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM
+6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz
mN1lOLo=
-----END CERTIFICATE REQUEST-----
Your signed certificate will arrive in raw PEM format,
which looks like this:
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29t
cGFueTEWMBQGA1UECxMNTXkgQ29tcGFueSBDQTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBteWNvbXBhbnkuY29tMB4X
DTAwMDQxMzE4MzY0MVoXDTAxMDQxMzE4MzY0MVowgaAxCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkg
Q29tcGFueTEPMA0GA1UECxMGTXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55
LmNvbTEqMCgGCSqGSIb3DQEJARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc
0yPGp7rkk17T05y6GCfsJdtbH/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQ
NGv/NbGDCoGhElrVzwBEYnBy+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCup
OpcQ82zfh2HTRpPYawIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABlROc1/xpG+FlPd
lekq+E1oc42sOMiLaWe6orfffh74DbuTgxvTWTK8Wo31W8Reqj7jqOAeGvF46mWH
Vq1mFM/Jh9oMQYb2IAjbuA1/7kefkMHdgf6NMC3L0cbCKs6bF7nDJGjWYb9sXcTM
shYJMLBXyKW+cmrvJIqoMnq8DZUv
-----END CERTIFICATE-----
Save this data as /APACHE/SECURE/conf/ssl.crt/server.crt and then
proceed to the "Installing Your Certificate" section. You can display the
details of your new server certificate by doing:
$ openssl x509 -noout -text -in /APACHE/SECURE/conf/ssl.crt/server.crt
First, create a private key and certificate for your CA. The
CA requires a unique Distinguished Name different from the server
certificate(s) you will be signing. One way to do this is to use
a unique Organizational Unit Name when you create the CA certificate. For
example, if your organization is XYZ Corporation, you might want to make the
Organizational Unit Name be XYZ Corporation Certificate Authority.
$ cd ../ssl.key
$ openssl genrsa -des3 -out ca.key 1024
1128 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......................................+++++
....................................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:********
Verifying password - Enter PEM pass phrase:********
$ openssl rsa -noout -text -in ca.key (displays the
details of your newly created CA key; output omitted)
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /APACHE/SECURE/ssl/openssl.cnf
Enter PEM pass phrase:********
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Company CA
Common Name (eg, YOUR name) []:Certificate Authority
Email Address []:ca@mycompany.com
$ openssl x509 -noout -text -in ca.crt (displays the
details of your newly created CA certificate)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA, CN=Certificate Authority/
Email=ca@mycompany.com
Validity
Not Before: Apr 13 18:29:50 2000 GMT
Not After : Apr 13 18:29:50 2001 GMT
Subject: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA, CN=Certificate Authority/
Email=ca@mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:f9:f5:38:07:dd:6b:84:51:a6:34:43:15:fa:
ae:3c:08:24:dc:60:6d:ea:e4:ab:8d:13:f3:bb:48:
b9:e9:eb:e9:a7:74:58:87:4b:10:4b:a1:09:c0:c4:
7b:88:5e:9c:14:7b:da:bd:9f:5f:d2:b9:19:51:f0:
c3:a4:43:10:ec:13:6a:f9:72:25:e2:fe:6e:57:67:
0d:7a:dc:3f:a5:63:d2:d2:32:69:f3:d2:6d:1b:f3:
70:06:70:28:eb:a8:9f:06:ad:f1:ab:a3:30:db:a7:
54:37:f7:75:85:90:26:d0:28:e8:f6:d6:65:93:82:
ef:02:88:f4:c7:0b:91:1f:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33
X509v3 Authority Key Identifier:
keyid:89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33
DirName:/C=US/ST=My State/L=My City/O=My Company/
OU=My Company CA/CN=Certificate Authority/
Email=ca@mycompany.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
a7:3d:21:6a:b8:bf:f2:67:01:81:e6:05:56:89:8a:21:ab:bf:
d5:43:48:ad:06:af:51:66:2a:02:77:ba:30:41:57:26:a5:7c:
eb:00:a0:77:bf:b8:2b:03:91:59:92:1c:0b:8d:fc:16:27:c1:
75:d3:90:1c:fd:de:9b:21:e1:34:27:2c:1c:4c:36:9c:7a:5f:
16:bf:df:66:85:43:35:9e:b2:e8:2d:04:08:af:b1:60:84:3f:
3e:5f:67:2b:38:75:38:2d:58:28:36:a2:56:19:fb:b3:66:d2:
fd:8e:b9:30:02:5d:43:f9:57:bb:1f:b9:40:5d:32:b3:c0:4c:
ba:dd
$ chmod 400 ca.key ca.crt
Then sign your CSR with your CA certificate and move all files to their correct
secure locations:
$ sign.sh ../ssl.csr/server.csr
CA signing: ../ssl.csr/server.csr -> ../ssl.csr/server.crt:
Using configuration from ca.config
Enter PEM pass phrase:********
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'My State'
localityName :PRINTABLE:'My City'
organizationName :PRINTABLE:'My Company'
organizationalUnitName:PRINTABLE:'My Org'
commonName :PRINTABLE:'www.mycompany.com'
emailAddress :IA5STRING:'webmaster@www.mycompany.com'
Certificate is to be certified until Apr 13 18:36:41 2001 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: ../ssl.csr/server.crt <- CA cert
../ssl.csr/server.crt: OK
$ rm -fR ca.db.*
$ cd ..
$ mv ssl.csr/server.crt ssl.crt/server.crt
$ openssl x509 -noout -text -in ssl.crt/server.crt
(displays the details of your newly created self-signed server
certificate)
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA, CN=Certificate Authority/
Email=ca@mycompany.com
Validity
Not Before: Apr 13 18:36:41 2000 GMT
Not After : Apr 13 18:36:41 2001 GMT
Subject: C=US, ST=My State, L=My City, O=My Company,
OU=My Org, CN=www.mycompany.com/
Email=webmaster@www.mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
19:51:39:cd:7f:c6:91:be:16:53:dd:95:e9:2a:f8:4d:68:73:
8d:ac:38:c8:8b:69:67:ba:a2:b7:df:7e:1e:f8:0d:bb:93:83:
1b:d3:59:32:bc:5a:8d:f5:5b:c4:5e:aa:3e:e3:a8:e0:1e:1a:
f1:78:ea:65:87:56:ad:66:14:cf:c9:87:da:0c:41:86:f6:20:
08:db:b8:0d:7f:ee:47:9f:90:c1:dd:81:fe:8d:30:2d:cb:d1:
c6:c2:2a:ce:9b:17:b9:c3:24:68:d6:61:bf:6c:5d:c4:cc:b2:
16:09:30:b0:57:c8:a5:be:72:6a:ef:24:8a:a8:32:7a:bc:0d:
95:2f
$ mv ssl.key/ca.crt ssl.crt/ca.cr
Certificates (and keys) are sensitive information and must
be protected from unauthorized usage:
$ cd /APACHE/SECURE/conf/ssl.crt
$ make (to rebuild the certificate hash symbolic
links)
ca-bundle.crt ... Skipped
ca.crt ... dc91dd8e.0
server.crt ... 2f66b362.0
snakeoil-ca-dsa.crt ... 0cf14d7d.0
snakeoil-ca-rsa.crt ... e52d41d0.0
snakeoil-dsa.crt ... 5d8360e1.0
snakeoil-rsa.crt ... 82ab5372.0
zzyzx-ca-rsa.crt ... f28a2a0f.0
$ chmod 400 /APACHE/SECURE/conf/ssl.*/*
|