Re: OT, self-signed ssl certificate generation
- Reply: Marcin Cieslak : "Re: OT, self-signed ssl certificate generation"
- In reply to: Ronald Klop : "Re: OT, self-signed ssl certificate generation"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 30 Aug 2024 00:06:01 UTC
On Thu, Aug 29, 2024 at 11:00:23AM +0200, Ronald Klop wrote: > > > > In trying to get ssl working for apache24 I tried to follow the > > instructions for self-signed certificate generation at > > https://docs.freebsd.org/en/books/handbook/security/index.html > > in section 16.8.1, Generating Certificates. > > > > The first example for generating a key and signing request > > behaved as expected, generating a cert.key and req.pem file. > > > > The second example, for a self-signed certificate, adjusted to: > > openssl req -new -x509 -days 365 -sha3-512 -keyout host.key -out host.crt > > > Hi, > > This command works for me. So I think you should look further what fails. > That it does not prompt for user input sounds like openssl does not execute properly. What is the exit code of running the command? > Does it give any output? > The first thing it prompted for was a pass phrase. There being no reason to have one, I simply hit Enter. Eventually I accidentally discovered that providing a passphrase allows certificate and key generation to proceed. But, I don't see any reason for a passphrase on a self-signed certificate key. If I were sending the certificate elsewhere for signing it might make sense. Am I missing something? In the meantime I learned of security/xca and started reading the docs at https://hohnstaedt.de/xca/index.php/documentation/manual which has proved a large bite to swallow. In particular, the relationship between a host certificate and a CA certificate eludes me. Perhaps putting a plaintext password in the apache config file isn't so bad in comparison if it works! > Mine gives: > $ openssl req -new -x509 -days 365 -sha3-512 -keyout host.key -out host.crt [big snip] > ..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+...+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.........+...+.+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [AU]:NL > State or Province Name (full name) [Some-State]:NH > Locality Name (eg, city) []:Amsterdam > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Henk > Organizational Unit Name (eg, section) []: > Common Name (e.g. server FQDN or YOUR name) []:henk.example.org > Email Address []:henk@example.org > If I enter a non-null passphrase I see functionally what you see. Probably I should just accept the necessity of a passphrase and resume trying to get apache working with https; getting chromium to accept a self-signed certificate is proving difficult. Then the original goal of getting sendmail to use tls will be a little bit closer. That's what started the whole fire drill. Thanks for writing! bob prohaska