Upgrading apache form 2.0.x to 2.2.x
Charles Swiger
cswiger at mac.com
Tue Jan 31 09:23:08 PST 2006
On Jan 31, 2006, at 10:06 AM, Kövesdán Gábor wrote:
> I've upgradde today, but SSL doesn't work with the old settings. I
> suspect something's wrong with my self-signed certificates. If I
> set SSLEngine On globally, I get this:
>
> [Tue Jan 31 14:11:09 2006] [warn] RSA server certificate is a CA
> certificate (BasicConstraints: CA certificate (BasicConstraints: CA
> == TRUE !?)
Yeah, the RSA cert you use for your CA to sign other certs should not
be used as a host cert for SSL. Generate a new RSA cert, generate a
CSR, and use the CA cert to sign your new RSA cert for the webserver:
openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -
days 365
openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out
tmp.pem
openssl ca -policy policy_anything -out newcert.pem -infiles tmp.pem
# (newcert.pem contains signed certificate, newreq.pem still
contains
# unsigned certificate and private key)
--
-Chuck
More information about the freebsd-questions
mailing list