Thank you Matt for your reply! On 2014-10-19 13:21, Matt Graham wrote: > On 2014-10-16 20:54, techlists@phpcoderusa.com wrote: >> I have a local LAMP box I use for development running CentOS 6.5. >> openssl genrsa -out ca.key 2048 >> openssl req -new -key ca.key -out ca.csr >> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt >> I Then verified the ssl.conf file and restarted httpd. > > This looks correct. In an openssl context, though, CA usually means > "Certificate Authority", which might cause confusion if you've got > something else somewhere that uses an actual CA. I usually name the > certs "$SITENAME.crt" for maximum ease of understanding. > >> I am using this cert for multiple local dev sites with no problem in >> FireFox (I add the exception). When I use Internet explorer it says >> "Mismatched Address" even if I add it to the trusted sites list. > > DNS problems? I was trying something similar with IE at work, and it > wasn't finding the "127.0.0.1 server example.com" entry in > lmhosts.sam. (Then again, "Run away screaming from IE" is my general > policy...) > I'd like to run away screaming. I need IE for testing only. >> Do I need to create a cert for each website? Or can I create a wild >> card cert that I can use on all of them? > > You should be able to make a wildcard cert and have it be accepted. > Just make the CN be "*.whatever.org" when you're generating the CSR, > and then test on server1.whatever.org , server2.whatever.org , etc. > Easy enough. All sites are subdomains. >> I followed a website that said I needed to add a section as seen >> below to openssl.cnf [and some other changes] > [snip] > > I have never modified openssl.cnf for any of the self-signed certs > I've generated, and they've all Just Worked. What were the other > changes you made? > >> The new cert works just like the old cert requiring I add the >> exception in FF and IE does not like the cert at all. > > I can't make IE barf in that way with the self-signed cert on > https://crow202.org/questions.html , but crow202.org has a valid DNS > entry and the cert was generated with the default openssl.cnf . It is probably something in my config. Thank you for your help!! Keith --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss