Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 5th May 2009, 15:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

What's in ./openssl.cnf?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Sponsored Links
  #12  
Old 6th May 2009, 09:43
pixel.hu pixel.hu is offline
Junior Member
 
Join Date: Feb 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default openssl.cnf

Hi!

Nothing. I don't even have a file like that. I mean the howto didn't specify from which folder I should run the command, so i ran it from /etc/racoon and from other places too. (the howto mentioned openssl.conf i tried that too)

But #locate openssl.conf only gives this one answer

/var/lib/dpkg/info/openssl.conffiles

After a bit of browsing i found openssl.cnf in /etc/ssl, and it indeed has a
few parts i think should work. Pasting them now:

.......

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

.....

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

.........


So i think i am missing something, but i don't know where i make that mistake.

Thx

Laszlo Balogh
Reply With Quote
  #13  
Old 6th May 2009, 09:53
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
Default

This is how to call the command.

Code:
openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf
and the privateKey directory needs to exist in your pwd.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #14  
Old 6th May 2009, 11:04
pixel.hu pixel.hu is offline
Junior Member
 
Join Date: Feb 2009
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default finished at last

Hi there!

Thx for all the help!

I finally finished.

I had to create a few directories and move around a few files, but it is done.

Last it asked for a serial file. I just created one empty serial file,
and wrote random numbers in one line into it. It swallowed it.

Now if I can only get shorewall tunelling done it ll work.

Thx a lot

Laszlo Balogh
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.