Topic: SSL Cert

[grattman]

Okay...I work for a school and they are to cheap to spring for a paid cert.

I am trying to figure out the final bit that I need to submit my cert to CA Cert (http://www.cacert.org/) so that I can eliminate the warning. I followed the directions here, including the applicable Redhat steps.

CA Cert requires you to copy and paste the CSR into a form text field. I apologize in advance for the noob-dom, but how do view the contents of the CSR? I tried a normal pico, but it was encrypted and that did not satisfy the form field.

On a side note, when I set up my server xxx.somwwhere.k12.us, it seems to have appended the server name I gave it xxx and created the certificate as coming from xxx.xxx.somwwhere.k12.us. So when you visit the site xxx.somwwhere.k12.us and try accessing email, it says it was issued for a different websites address.

UPDATE: Following the above directions, the file (below) does not exist on the server. Any ides?

/etc/httpd/conf/ssl.crt/server.crt


Any help is appreciated,
Brian

[william_syd]

UPDATE: Following the above directions, the file (below) does not exist on the server. Any ides?

/etc/httpd/conf/ssl.crt/server.crt


Any help is appreciated,
Brian

The first part of the Red Hat instructions ask you to delete the fake server.crt and server.key files.

First, use the cd command to change to the /etc/httpd/conf/ directory. Remove the fake key and
certicate that were generated during the installation with the following commands:
rm ssl.key/server.key
rm ssl.crt/server.crt

If you have not yet sent your csr to CAcert then you wont have a server.crt file.

[william_syd]

CA Cert requires you to copy and paste the CSR into a form text field. I apologize in advance for the noob-dom, but how do view the contents of the CSR? I tried a normal pico, but it was encrypted and that did not satisfy the form field.

Your doing something wrong. The server.csr should look something like...

Code: [Select]

-----BEGIN CERTIFICATE REQUEST-----
MIIB1DCCAT0CAQAwgZMxCzAJBgNVBAYTAkFVMRgwFgYDVQQIEw9OZXcgU291dGgg
V2FsZXMxEjAQBgNVBAcTCUdyZWVuYWNyZTETMBEGA1UEChMKTWFnaWN3aWxseTEQ
MA4GA1UECxMHQmVkcm9vbTETMBEGA1UEAxMKbWFnaWN3aWxseTEaMBgGCSqGSIb3
DQEJARYLbWVAaG9tZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJy
tpdoB456ztW489m0JxPA2sgTpjlAJZKEGO98L719O3Uc5sXGpmmBSNkqEQ9vt72R
XbDJl5SnER4OYh7GN3RjdWses+R+HhBTKCdIGOIVQJFjWPDt7zNOaYCcWMDrmKvh
iRrl1ReqIFE0/+0yuK6dOk1IvHrxp0wwUAxBs04jAgMBAAGgADANBgkqhkiG9w0B
AQQFAAOBgQC0/uu/rssr8Bres/AbcvJU712e+BdZAhUlW2uGOOFvPpFczu4iJuMs
gBmy0NK0XcZEBb8lDn7zEyAPXnuKj7lMMR05PnUudOwCm1dgiYzA2586R4FBUd91
gYFiGioGRJ0bgsXQd/2750G8NVmNYdt3NK4YpQaVtPm7/bsavnMnJA==
-----END CERTIFICATE REQUEST-----


That was viewed with

Code: [Select]

less /etc/httpd/conf/ssl.csr/server.csr via Putty.

Code: [Select]

  UW PICO(tm) 4.10   File: /etc/httpd/conf/ssl.csr/server.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIB1DCCAT0CAQAwgZMxCzAJBgNVBAYTAkFVMRgwFgYDVQQIEw9OZXcgU291dGgg
V2FsZXMxEjAQBgNVBAcTCUdyZWVuYWNyZTETMBEGA1UEChMKTWFnaWN3aWxseTEQ
MA4GA1UECxMHQmVkcm9vbTETMBEGA1UEAxMKbWFnaWN3aWxseTEaMBgGCSqGSIb3
DQEJARYLbWVAaG9tZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJy
tpdoB456ztW489m0JxPA2sgTpjlAJZKEGO98L719O3Uc5sXGpmmBSNkqEQ9vt72R
XbDJl5SnER4OYh7GN3RjdWses+R+HhBTKCdIGOIVQJFjWPDt7zNOaYCcWMDrmKvh
iRrl1ReqIFE0/+0yuK6dOk1IvHrxp0wwUAxBs04jAgMBAAGgADANBgkqhkiG9w0B
AQQFAAOBgQC0/uu/rssr8Bres/AbcvJU712e+BdZAhUlW2uGOOFvPpFczu4iJuMs
gBmy0NK0XcZEBb8lDn7zEyAPXnuKj7lMMR05PnUudOwCm1dgiYzA2586R4FBUd91
gYFiGioGRJ0bgsXQd/2750G8NVmNYdt3NK4YpQaVtPm7/bsavnMnJA==
-----END CERTIFICATE REQUEST-----







                               [ Read 12 lines ]
^G Get Help  ^O WriteOut  ^R Read File ^Y Prev Pg   ^K Cut Text  ^C Cur Pos
^X Exit      ^J Justify   ^W Where is  ^V Next Pg   ^U UnCut Text^T To Spell


The result with pico.

[william_syd]

I am trying to figure out the final bit that I need to submit my cert to CA Cert (http://www.cacert.org/) so that I can eliminate the warning.

You probably still going to get a warning of sorts. The CA root certificate is not installed by default in any of the main browsers as yet. I think Centos do supply it with their distribution already installed.

[grattman]

William,

Thanks for your advice. I did finally figure out how to view it. When I submitted it to CACert, it kept telling me my CommonName was blank, which it wasn't. I guess thats what I get fro trying to go free.

Thanks again,
Brian

[william_syd]

William,

Thanks for your advice. I did finally figure out how to view it. When I submitted it to CACert, it kept telling me my CommonName was blank, which it wasn't. I guess thats what I get fro trying to go free.

Thanks again,
Brian

Something like this...

Unable to continue as no valid commonNames or subjectAltNames were present on your certificate request.

[grattman]

Exactly that....mind-reader? Or just someone who has been down this road before?

[william_syd]

Exactly that....mind-reader? Or just someone who has been down this road before?

Commonname invalid and commonname blank are different issues.

I gather you 'registered' a domain with CAcert and validated it with an email response.

Using your example from the first post, your would have a verified domain of

Code: [Select]

k12.us

Your commonname for your CSR would have to contain this. eg

Code: [Select]

xxx.somwwhere.k12.us

The software at CAcert reads right to left. That way you do not have to 'register/verify' each sub-domain.

You could use a wildcard commonname

Code: [Select]

*.k12.us

which would match every sub-domain.