self signed cert on CentOS 6.5
Matt Graham
mhgraham at crow202.org
Sun Oct 19 11:21:10 MST 2014
On 2014-10-16 20:54, techlists at phpcoderusa.com wrote:
> I have a local LAMP box I use for development running CentOS 6.5.
> openssl genrsa -out ca.key 2048
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
> I Then verified the ssl.conf file and restarted httpd.
This looks correct. In an openssl context, though, CA usually means
"Certificate Authority", which might cause confusion if you've got
something else somewhere that uses an actual CA. I usually name the
certs "$SITENAME.crt" for maximum ease of understanding.
> I am using this cert for multiple local dev sites with no problem in
> FireFox (I add the exception). When I use Internet explorer it says
> "Mismatched Address" even if I add it to the trusted sites list.
DNS problems? I was trying something similar with IE at work, and it
wasn't finding the "127.0.0.1 server example.com" entry in lmhosts.sam.
(Then again, "Run away screaming from IE" is my general policy...)
> Do I need to create a cert for each website? Or can I create a wild
> card cert that I can use on all of them?
You should be able to make a wildcard cert and have it be accepted.
Just make the CN be "*.whatever.org" when you're generating the CSR, and
then test on server1.whatever.org , server2.whatever.org , etc.
> I followed a website that said I needed to add a section as seen
> below to openssl.cnf [and some other changes]
[snip]
I have never modified openssl.cnf for any of the self-signed certs I've
generated, and they've all Just Worked. What were the other changes you
made?
> The new cert works just like the old cert requiring I add the
> exception in FF and IE does not like the cert at all.
I can't make IE barf in that way with the self-signed cert on
https://crow202.org/questions.html , but crow202.org has a valid DNS
entry and the cert was generated with the default openssl.cnf .
--
Crow202 Blog: http://crow202.org/wordpress
There is no Darkness in Eternity
But only Light too dim for us to see.
More information about the PLUG-discuss
mailing list