|
|
This is a fairly large and complicated topic. You are STRONGLY ENCOURAGED to
read about it in detail in the Mod_ssl Manual, Chapter 2 Introduction
and Chapter 6 FAQ List, either at http://www.modssl.org/docs/2.8/ or the
copy that comes with your HP WebWise MPE/iX Secure Web Server
(/APACHE/CURRENT/htmanual/mod/mod_ssl/ssl_intro.html and
ssl_faq.html) and is accessible from
http://yourserver.yourdomain.com/manual/.
Secure web servers require a unique private key and a unique server certificate
in order to establish secure encrypted communication sessions. This software
includes a default private key and server certificate so that you can
immediately start the server and begin testing. But because the supplied
private key and server certificate are not unique, they are NOT SECURE AND MUST
NOT BE USED FOR PRODUCTION PURPOSES!
You must generate your own private key and either obtain or create your own
server certificate in order to be secure. Keys and certificates contain
extremely sensitive data and must be tightly controlled to prevent
unauthorized access.
Log on as MGR.APACHE
Before starting any key or certificate management you should first log on as
MGR.APACHE and make sure that all configuration files and directories
are owned by MGR.APACHE:
1. :HELLO MGR.APACHE,PUB
2. :XEQ SH.HPBIN.SYS -L
3. $ export PATH=/APACHE/PUB/bin:$PATH
Create Your Private Server Key
Your private key is an EXTREMELY sensitive and confidential piece of
information. Anybody who obtains your private key will be able to impersonate
you. If you should ever lose your private key or have it stolen, your only
recourse is to create a new private key and do a better job of protecting it.
Appropriate file system security is essential for the file which contains your
private key. MGR.APACHE should be the owner of the key file, and the
owner is the only user that should have any kind of access. MGR.APACHE
should also be the owner of the directory in which the key file resides, and
nobody besides the owner should have access to the directory.
For extra added security, it is recommended that you encrypt your server key
with a pass phrase that is stored separately from the key. If you use a pass
phrase, this will need to be supplied to the web server at start up time,
either by inserting it directly into the /APACHE/PUB/JHTTPD job stream
after the command that invokes HTTPD (caution — the pass phrase will be
in plain text in the JHTTPD job stream, so you'll need to protect the job
stream too), or by writing a special script or program that HTTPD will invoke
to obtain the pass phrase. See the mod_ssl SSLPassPhraseDialog
configuration directive documentation for details.
Key generation uses a random number generator which in order to be portable
uses a rather simple random seed consisting of the current time, process ID,
and some memory buffer contents. To increase the randomness for the initial
random number, you should use the openssl -rand
parameter to specify a file that contains possibly random data but definitely
data that is unique to your machine. For example, because machines have
different patches applied at different times, /SYS/PUB/HPSWINFO might
be suitable as a -rand file containing unique data that will
only exist on this one machine.
To create your private server key:
-
$ cd conf/ssl.key
-
$ openssl genrsa -rand /SYS/PUB/HPSWINFO -des3 -out server.key 1024
unable to load 'random state'
28199 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
................+++++
.................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:********
Verifying password - Enter PEM pass phrase:********
-
$ openssl rsa -noout -text -in server.key
(displays the details of your newly created server key)
read RSA private key
Enter PEM pass phrase:********
Private-Key: (1024 bit)
modulus:
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
publicExponent: 65537 (0x10001)
privateExponent:
00:ae:e8:8a:47:6a:99:49:a4:a4:df:4a:0c:0b:bf:
c0:ca:b1:25:89:65:fc:3b:14:f1:3e:29:68:34:f1:
4c:07:32:7d:04:32:cf:cc:c4:31:5b:ae:4b:ca:37:
aa:5b:d3:50:7c:01:b9:62:96:7a:a3:a7:2d:9e:fe:
ff:a5:c4:20:40:3e:ea:02:05:fa:9e:00:d6:a9:59:
e0:46:13:ef:9a:ef:64:d1:8a:bd:e6:2b:82:06:c9:
da:8b:15:e9:b8:fa:eb:a0:13:6c:94:ca:10:9c:dc:
2a:59:f8:fc:c7:2d:e0:69:cb:5b:a5:32:ec:d2:56:
e2:0f:b0:c5:39:b8:50:5b:f1
prime1:
00:fa:06:99:8b:68:55:5b:a8:ff:25:5a:f5:82:26:
4c:73:2d:a0:70:75:e6:72:2c:25:70:22:49:5d:1a:
96:0e:32:ce:4f:d9:7f:31:94:2c:62:8b:02:3c:c8:
8f:4f:04:58:5b:6a:c0:66:fe:a1:d1:35:21:0e:c1:
bb:4d:66:a7:83
prime2:
00:d7:df:d2:7e:68:7f:5c:04:fe:08:64:48:2e:ee:
b5:8a:06:40:55:38:14:b4:f1:86:04:5b:98:78:77:
cf:ab:c8:97:b4:e5:e7:ca:30:b5:8e:4d:93:23:7b:
41:66:c7:29:8e:d4:f9:8a:0d:61:27:c3:36:b8:26:
26:1e:bb:4e:f9
exponent1:
00:80:ed:d4:51:da:1c:62:26:d4:63:6b:f3:3c:09:
09:d5:3f:0b:03:d3:18:61:79:b8:58:89:a5:b1:38:
1b:76:f8:e6:00:b1:14:70:f9:8a:a5:ca:2e:fe:2f:
22:0f:4a:1b:52:10:cb:64:91:1b:da:a8:fe:02:01:
0e:d8:0b:fe:87
exponent2:
00:b0:5f:9d:52:4c:3c:6a:49:65:e8:23:4e:da:91:
8b:df:36:56:4f:8a:1f:58:ea:d0:2d:35:4c:f0:78:
2b:43:56:03:a4:f8:06:16:2b:0f:db:31:44:5b:43:
f3:de:6e:30:65:13:5a:c2:51:46:24:bf:99:30:81:
72:b9:bf:1d:b9
coefficient:
45:06:9e:13:e6:a9:2a:eb:5a:e0:99:65:43:88:85:
ed:e2:64:ee:e7:75:99:6e:c3:25:69:36:d5:14:3a:
e1:20:60:04:a0:44:c0:8e:55:cd:bf:8a:18:97:aa:
f7:f9:43:81:db:16:ea:c9:e2:1e:68:a9:f2:56:63:
2e:8f:56:60
-
$ chmod 400 server.key
Create Your Certificate Signing Request (CSR)
Next you need to use your private server key to create a CSR which
identifies your company and your web server. This is the same identity
that will be presented to your web browser users, so choose carefully.
When openssl prompts you to enter a value for "Common Name (e.g.,
YOUR name)", you need to enter the fully qualified domain name (FQDN)
of your web server. For example, if you want people to access your web server
via a URL prefix of https://www.yourcompanyhere.com, you would enter
www.yourcompanyhere.com in response to this prompt. When
openssl prompts you for the 'extra' attributes to be sent with
your certificate request, leave them blank.
To create your CSR:
-
$ cd ../ssl.csr
-
$ openssl req -new -key ../ssl.key/server.key -out server.csr
Using configuration from /APACHE/A0300/openssl.cnf Enter PEM pass
phrase:********
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are quite
a few fields but you can leave some blank. For some fields there will
be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:www.mycompany.com
Email Address []:webmaster@www.mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl req -noout -text -in server.csr (displays
the details of your newly created server CSR)
Using configuration from /APACHE/A0300/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org,
CN=www.mycompany.com/Email=webmaster@www.mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
8f:5b:d3:45:ae:52:6a:66:36:23:09:0b:b9:d1:5c:2b:52:12:
00:98:78:97:39:5b:9d:f6:9f:82:b2:2c:3f:24:bb:e0:f0:47:
19:02:9d:3e:9f:32:d0:be:9a:54:3d:bc:c0:ed:63:67:cd:a3:
eb:68:a1:2d:7a:0f:94:87:f0:a8:14:f6:45:cf:bd:a9:bc:13:
9a:4c:cc:fb:a7:ab:73:88:17:23:90:b3:49:58:7f:d5:02:55:
f1:85:81:f8:ea:48:d9:40:bc:29:de:f8:ed:e3:04:9c:b9:b1:
c2:ce:8d:c2:c8:43:e7:73:bc:e6:e5:9f:99:b5:73:98:dd:65:
38:ba
$ chmod 400 server.csr
You're now ready to have your CSR signed by a Certificate
Authority (CA). This results in the creation of a server
certificate. You have two options — you can either have an external
trusted CA sign your CSR, or you can create your own CA and use it to sign your
CSR. Choose one of these options which are explained in detail.
Submit Your CSR to an External Trusted CA For Signing...
All web browsers come preconfigured with a list of trusted
CAs. Certificates signed by these trusted CAs will in turn be trusted
by the browsers. If your certificate is signed by a CA unrecognized
by the browser, each browser user will get a warning dialog window
each time they visit your web site. So if you're doing
an Internet e-commerce application where you have no control over
the customer's browser configuration, you will want to
obtain your certificate from one of the default trusted CAs recognized
by all browsers.
There are many trusted CAs; VeriSign (www.verisign.com) and
Equifax (www.equifaxsecure.com) are just two examples. By
using your browser's security-related features, you can list all of the CAs
trusted by that particular browser.
You can either purchase a real certificate at this point,
or alternatively you can usually obtain a free test certificate
good for a limited time. In either case, the process is the same.
You typically visit the CA's web site and submit a web
registration form that includes a cut/paste of your CSR, and then
the CA e-mails the resulting certificate to you.
You need to cut/paste your CSR in its raw PEM format, which looks like
this if you display the contents of the conf/ssl.csr/server.csr file:
-----BEGIN CERTIFICATE REQUEST-----
MIIB4TCCAUoCAQAwgaAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNeSBTdGF0ZTEQ
MA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29tcGFueTEPMA0GA1UECxMG
TXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55LmNvbTEqMCgGCSqGSIb3DQEJ
ARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc0yPGp7rkk17T05y6GCfsJdtb
H/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQNGv/NbGDCoGhElrVzwBEYnBy
+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCupOpcQ82zfh2HTRpPYawIDAQAB
oAAwDQYJKoZIhvcNAQEEBQADgYEAj1vTRa5SamY2IwkLudFcK1ISAJh4lzlbnfaf
grIsPyS74PBHGQKdPp8y0L6aVD28wO1jZ82j62ihLXoPlIfwqBT2Rc+9qbwTmkzM
+6erc4gXI5CzSVh/1QJV8YWB+OpI2UC8Kd747eMEnLmxws6NwshD53O85uWfmbVz
mN1lOLo=
-----END CERTIFICATE REQUEST-----
Your signed certificate will arrive in raw PEM format,
which looks like this:
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCAQEwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkgQ29t
cGFueTEWMBQGA1UECxMNTXkgQ29tcGFueSBDQTEeMBwGA1UEAxMVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcNAQkBFhBjYUBteWNvbXBhbnkuY29tMB4X
DTAwMDQxMzE4MzY0MVoXDTAxMDQxMzE4MzY0MVowgaAxCzAJBgNVBAYTAlVTMREw
DwYDVQQIEwhNeSBTdGF0ZTEQMA4GA1UEBxMHTXkgQ2l0eTETMBEGA1UEChMKTXkg
Q29tcGFueTEPMA0GA1UECxMGTXkgT3JnMRowGAYDVQQDExF3d3cubXljb21wYW55
LmNvbTEqMCgGCSqGSIb3DQEJARYbd2VibWFzdGVyQHd3dy5teWNvbXBhbnkuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS1iRItFKSDzOhDShFeoiWkfnc
0yPGp7rkk17T05y6GCfsJdtbH/Umn2uM/tSNOiguAPBYce8prLYjNqyXY4QBCzWQ
NGv/NbGDCoGhElrVzwBEYnBy+TyPMF/dYdH+1oOaaTZ0ZE0WP0l6CimzzXjvwCup
OpcQ82zfh2HTRpPYawIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABlROc1/xpG+FlPd
lekq+E1oc42sOMiLaWe6orfffh74DbuTgxvTWTK8Wo31W8Reqj7jqOAeGvF46mWH
Vq1mFM/Jh9oMQYb2IAjbuA1/7kefkMHdgf6NMC3L0cbCKs6bF7nDJGjWYb9sXcTM
shYJMLBXyKW+cmrvJIqoMnq8DZUv
-----END CERTIFICATE-----
Save this data as /APACHE/PUB/conf/ssl.crt/server.crt and then proceed
to the "Installing Your Certificate" section. You
can display the details of your new server certificate by doing:
$ openssl x509 -noout -text -in /APACHE/PUB/conf/ssl.crt/server.crt
...Or Sign Your CSR With Your Own CA
First, create a private key and certificate for your CA. The CA requires
a unique Distinguished Name different from the server certificate(s) you will
be signing. One way to do this is to use a unique Organizational Unit Name when
you create the CA certificate. For example, if your organization is XYZ
Corporation, you might want to make the Organizational Unit Name be XYZ
Corporation Certificate Authority.
$ cd ../ssl.key
$ openssl genrsa -des3 -out ca.key 1024
1128 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.......................................+++++
....................................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:********
Verifying password - Enter PEM pass phrase:********
$ openssl rsa -noout -text -in ca.key (displays the
details of your newly created CA key; output omitted)
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Using configuration from /APACHE/A0300/ssl/openssl.cnf Enter PEM pass
phrase:********
You are about to be asked to enter information that will be
incorporated into your certificate request. What you are about to
enter is what is called a Distinguished Name or a DN. There are quite
a few fields but you can leave some blank. For some fields there will
be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:My State
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Company CA
Common Name (eg, YOUR name) []:Certificate Authority
Email Address []:ca@mycompany.com
$ openssl x509 -noout -text -in ca.crt (displays the
details of your newly created CA certificate)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA,
CN=Certificate Authority/Email=ca@mycompany.com
Validity
Not Before: Apr 13 18:29:50 2000 GMT
Not After : Apr 13 18:29:50 2001 GMT
Subject: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA,
CN=Certificate Authority/Email=ca@mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:f9:f5:38:07:dd:6b:84:51:a6:34:43:15:fa:
ae:3c:08:24:dc:60:6d:ea:e4:ab:8d:13:f3:bb:48:
b9:e9:eb:e9:a7:74:58:87:4b:10:4b:a1:09:c0:c4:
7b:88:5e:9c:14:7b:da:bd:9f:5f:d2:b9:19:51:f0:
c3:a4:43:10:ec:13:6a:f9:72:25:e2:fe:6e:57:67:
0d:7a:dc:3f:a5:63:d2:d2:32:69:f3:d2:6d:1b:f3:
70:06:70:28:eb:a8:9f:06:ad:f1:ab:a3:30:db:a7:
54:37:f7:75:85:90:26:d0:28:e8:f6:d6:65:93:82:
ef:02:88:f4:c7:0b:91:1f:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33
X509v3 Authority Key Identifier:
keyid:89:B4:C8:ED:17:82:61:39:C5:1D:9F:E9:12:73:75:C8:31:EA:DF:33
DirName:/C=US/ST=My State/L=My City/O=My
Company/OU=My Company
CA/CN=Certificate Authority/Email=ca@mycompany.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
a7:3d:21:6a:b8:bf:f2:67:01:81:e6:05:56:89:8a:21:ab:bf:
d5:43:48:ad:06:af:51:66:2a:02:77:ba:30:41:57:26:a5:7c:
eb:00:a0:77:bf:b8:2b:03:91:59:92:1c:0b:8d:fc:16:27:c1:
75:d3:90:1c:fd:de:9b:21:e1:34:27:2c:1c:4c:36:9c:7a:5f:
16:bf:df:66:85:43:35:9e:b2:e8:2d:04:08:af:b1:60:84:3f:
3e:5f:67:2b:38:75:38:2d:58:28:36:a2:56:19:fb:b3:66:d2:
fd:8e:b9:30:02:5d:43:f9:57:bb:1f:b9:40:5d:32:b3:c0:4c:
ba:dd
$ chmod 400 ca.key ca.crt
Then sign your CSR with your CA certificate and move all files to their correct
secure locations:
$ sign.sh ../ssl.csr/server.csr
CA signing: ../ssl.csr/server.csr -> ../ssl.csr/server.crt:
Using configuration from ca.config
Enter PEM pass phrase:********
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'My State'
localityName :PRINTABLE:'My City'
organizationName :PRINTABLE:'My Company'
organizationalUnitName:PRINTABLE:'My Org'
commonName :PRINTABLE:'www.mycompany.com'
emailAddress :IA5STRING:'webmaster@www.mycompany.com'
Certificate is to be certified until Apr 13 18:36:41 2001 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: ../ssl.csr/server.crt <- CA cert
../ssl.csr/server.crt: OK
$ rm -fR ca.db.*
$ cd ..
$ mv ssl.csr/server.crt ssl.crt/server.crt
$ openssl x509 -noout -text -in ssl.crt/server.crt
(displays the details of your newly created self-signed server
certificate)
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=My State, L=My City, O=My Company,
OU=My Company CA,
CN=Certificate Authority/Email=ca@mycompany.com
Validity
Not Before: Apr 13 18:36:41 2000 GMT
Not After : Apr 13 18:36:41 2001 GMT
Subject: C=US, ST=My State, L=My City, O=My Company, OU=My Org,
CN=www.mycompany.com/Email=webmaster@www.mycompany.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d2:d6:24:48:b4:52:92:0f:33:a1:0d:28:45:7a:
88:96:91:f9:dc:d3:23:c6:a7:ba:e4:93:5e:d3:d3:
9c:ba:18:27:ec:25:db:5b:1f:f5:26:9f:6b:8c:fe:
d4:8d:3a:28:2e:00:f0:58:71:ef:29:ac:b6:23:36:
ac:97:63:84:01:0b:35:90:34:6b:ff:35:b1:83:0a:
81:a1:12:5a:d5:cf:00:44:62:70:72:f9:3c:8f:30:
5f:dd:61:d1:fe:d6:83:9a:69:36:74:64:4d:16:3f:
49:7a:0a:29:b3:cd:78:ef:c0:2b:a9:3a:97:10:f3:
6c:df:87:61:d3:46:93:d8:6b
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
19:51:39:cd:7f:c6:91:be:16:53:dd:95:e9:2a:f8:4d:68:73:
8d:ac:38:c8:8b:69:67:ba:a2:b7:df:7e:1e:f8:0d:bb:93:83:
1b:d3:59:32:bc:5a:8d:f5:5b:c4:5e:aa:3e:e3:a8:e0:1e:1a:
f1:78:ea:65:87:56:ad:66:14:cf:c9:87:da:0c:41:86:f6:20:
08:db:b8:0d:7f:ee:47:9f:90:c1:dd:81:fe:8d:30:2d:cb:d1:
c6:c2:2a:ce:9b:17:b9:c3:24:68:d6:61:bf:6c:5d:c4:cc:b2:
16:09:30:b0:57:c8:a5:be:72:6a:ef:24:8a:a8:32:7a:bc:0d:
95:2f
$ mv ssl.key/ca.crt ssl.crt/ca.crt
Installing Your Certificate
Certificates (and keys) are sensitive information and must
be protected from unauthorized usage:
$ cd /APACHE/PUB/conf/ssl.crt
$ make (to rebuild the certificate hash symbolic
links)
ca-bundle.crt ... Skipped
ca.crt ... dc91dd8e.0
server.crt ... 2f66b362.0
snakeoil-ca-dsa.crt ... 0cf14d7d.0
snakeoil-ca-rsa.crt ... e52d41d0.0
snakeoil-dsa.crt ... 5d8360e1.0
snakeoil-rsa.crt ... 82ab5372.0
zzyzx-ca-rsa.crt ... f28a2a0f.0<
$ chmod 400 /APACHE/PUB/conf/ssl.*/*
|