Re: self signed cert on CentOS 6.5

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Keith Smith
Date:  
To: Main PLUG discussion list
Subject: Re: self signed cert on CentOS 6.5

Thank you Matt for your reply!

<embedded reply />

On 2014-10-19 13:21, Matt Graham wrote:
> On 2014-10-16 20:54, wrote:
>> I have a local LAMP box I use for development running CentOS 6.5.
>> openssl genrsa -out ca.key 2048
>> openssl req -new -key ca.key -out ca.csr
>> openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
>> I Then verified the ssl.conf file and restarted httpd.
>
> This looks correct. In an openssl context, though, CA usually means
> "Certificate Authority", which might cause confusion if you've got
> something else somewhere that uses an actual CA. I usually name the
> certs "$SITENAME.crt" for maximum ease of understanding.
>
>> I am using this cert for multiple local dev sites with no problem in
>> FireFox (I add the exception). When I use Internet explorer it says
>> "Mismatched Address" even if I add it to the trusted sites list.
>
> DNS problems? I was trying something similar with IE at work, and it
> wasn't finding the "127.0.0.1 server example.com" entry in
> lmhosts.sam. (Then again, "Run away screaming from IE" is my general
> policy...)
>



I'd like to run away screaming. I need IE for testing only.


>> Do I need to create a cert for each website? Or can I create a wild
>> card cert that I can use on all of them?
>
> You should be able to make a wildcard cert and have it be accepted.
> Just make the CN be "*.whatever.org" when you're generating the CSR,
> and then test on server1.whatever.org , server2.whatever.org , etc.
>


Easy enough. All sites are subdomains.

>> I followed a website that said I needed to add a section as seen
>> below to openssl.cnf [and some other changes]
> [snip]
>
> I have never modified openssl.cnf for any of the self-signed certs
> I've generated, and they've all Just Worked. What were the other
> changes you made?
>
>> The new cert works just like the old cert requiring I add the
>> exception in FF and IE does not like the cert at all.
>
> I can't make IE barf in that way with the self-signed cert on
> https://crow202.org/questions.html , but crow202.org has a valid DNS
> entry and the cert was generated with the default openssl.cnf .


It is probably something in my config.

Thank you for your help!!
Keith

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss