[TriLUG] it's late.. ssl question

Joseph Tate dragonstrider at gmail.com
Mon Oct 11 08:44:06 EDT 2004


What I've done in the past is generate a CA key.  This I post on my
web site, i.e. http://www.dragonstrider.com/security/cacert.pem, so
that any client can import it.

After the client has imported it into the trusted root CA certs, any
key signed by that CA key will be accepted.  Makes it easy to visit
https://www.dragonstrider.com.

We'll talk about doing this in Saturday's class.

Joseph


On Mon, 11 Oct 2004 00:12:17 -0400, David A. Cafaro <dac at trilug.org> wrote:
> Oh well, sorry it didn't help.  Good luck!
> 
> -David
> 
> 
> 
> On Mon, 2004-10-11 at 00:06, Greg Brown wrote:
> > Nope, still having the same issue with firefox even after building the
> > new cert with the -set_serial 01 option.  I'll try again in the morning,
> > it's just too late now.
> >
> > But thanks very much for the pointer!
> >
> > Greg
> >
> > On Oct 10, 2004, at 10:55 PM, David A. Cafaro wrote:
> >
> > > Ok found it, try the "-set_serial 01" option, that should do it.
> > >
> > > -David
> > >
> > > On Sun, 2004-10-10 at 22:51, David A. Cafaro wrote:
> > >> Your problem is that you previously had a certificate that you
> > >> probably
> > >> generated that had serial number "00" for the first certificate.  When
> > >> you generated your new certificate, you generated it with the same
> > >> serial number of "00".  Now if any web browser has the old certificate
> > >> saved, it will fail because it's seeing a different certificate for
> > >> the
> > >> same site with the same serial number.  You have to options to fix
> > >> this.  Delete the saved certificate on any browser that might have it
> > >> saved, or generate a new certificate with the serial incremented by
> > >> one.  I actual did this once before, but would have to go back through
> > >> my docs to remember how.  I don't think it was to difficult I think
> > >> you
> > >> can set it via command line or in the openssl.cnf file.
> > >>
> > >>
> > >> On Sun, 2004-10-10 at 22:43, Greg Brown wrote:
> > >>> I must be looking over something very obvious.  I reinstalled my
> > >>> server
> > >>> OS, CentOS in this case, and installed http via yum.  I also
> > >>> installed
> > >>> openssl and created a key using the following command:
> > >>>
> > >>> openssl req -new -x509 -extensions v3_ca -keyout \
> > >>> private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
> > >>>
> > >>> I then installed mod_ssl from yum which perviously, after the first
> > >>> two
> > >>> steps, would allow me to use https encryption.  For some reason I now
> > >>> get an error when I try to access my web server via https.  The error
> > >>> is:
> > >>>
> > >>> "You have received an invalid certificate. Please contact the server
> > >>> administrator or email correspondent and give them the following
> > >>> information:
> > >>>
> > >>> Your certificate contains the same serial number as another
> > >>> certificate
> > >>> issued by the certificate authority. Please get a new certificate
> > >>> containing
> > >>> a unique serial number."
> > >>>
> > >>> I'm fairly tired so I think I'm missing something really basic.  All
> > >>> I'm doing is using a self-signed key.  The browser (safari, firefox)
> > >>> should use this certificate but warn the user that it's self-signed.
> > >>>
> > >>> Where am I going wrong?
> > >>>
> > >>> Greg
> > >> --
> > >> David A. Cafaro
> > >> dac(at)trilug.org
> > >> Admin to User: "You did what!?!?!"
> > > --
> > > David A. Cafaro
> > > dac(at)trilug.org
> > > Admin to User: "You did what!?!?!"
> > >
> > > --
> > > TriLUG mailing list        :
> > > http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > > TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> > >
> -- 
> 
> 
> David A. Cafaro
> dac(at)trilug.org
> Admin to User: "You did what!?!?!"
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 


-- 
Joseph Tate
Personal e-mail: jtate AT dragonstrider DOT com
Web: http://www.dragonstrider.com



More information about the TriLUG mailing list