Re: self signed cert on CentOS 6.5

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mtechlists@phpcoderusa.com at <-
MKeith Smith at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Graham
Date:  
To: Main PLUG discussion list
Subject: Re: self signed cert on CentOS 6.5
On 2014-10-16 20:54, wrote:
> I have a local LAMP box I use for development running CentOS 6.5.
> openssl genrsa -out ca.key 2048
> openssl req -new -key ca.key -out ca.csr
> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
> I Then verified the ssl.conf file and restarted httpd.

This looks correct. In an openssl context, though, CA usually means
"Certificate Authority", which might cause confusion if you've got
something else somewhere that uses an actual CA. I usually name the
certs "$SITENAME.crt" for maximum ease of understanding.

> I am using this cert for multiple local dev sites with no problem in
> FireFox (I add the exception). When I use Internet explorer it says
> "Mismatched Address" even if I add it to the trusted sites list.

DNS problems? I was trying something similar with IE at work, and it
wasn't finding the "127.0.0.1 server example.com" entry in lmhosts.sam.
(Then again, "Run away screaming from IE" is my general policy...)

> Do I need to create a cert for each website? Or can I create a wild
> card cert that I can use on all of them?

You should be able to make a wildcard cert and have it be accepted.
Just make the CN be "*.whatever.org" when you're generating the CSR, and
then test on server1.whatever.org , server2.whatever.org , etc.

> I followed a website that said I needed to add a section as seen
> below to openssl.cnf [and some other changes]
[snip]

I have never modified openssl.cnf for any of the self-signed certs I've
generated, and they've all Just Worked. What were the other changes you
made?

> The new cert works just like the old cert requiring I add the
> exception in FF and IE does not like the cert at all.

I can't make IE barf in that way with the self-signed cert on
https://crow202.org/questions.html , but crow202.org has a valid DNS
entry and the cert was generated with the default openssl.cnf .

--
Crow202 Blog: http://crow202.org/wordpress
There is no Darkness in Eternity
But only Light too dim for us to see.
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: liksys WRT54GRe: liksys WRT54G->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)