[lug] self-signed apache certs on fedora core?

D. Stimits stimits at comcast.net
Tue Sep 6 14:16:43 MDT 2005

Jeffrey Brown wrote:
> I never did like the wrapper scripts provided by Linux distributions. If
> all you want is a self-signed cert do the following:
> Taken from here (wrapped):
> http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&sektion=8&apropos=0&manpath=OpenBSD+Current&arch=i386
> # openssl genrsa -out /etc/ssl/private/server.key 1024
> # openssl req -new -key /etc/ssl/private/server.key -out
> /etc/ssl/private/server.csr
> # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr -signkey
> /etc/ssl/private/server.key -out /etc/ssl/server.crt
> I think other details about this can be found in the openssl man pages
> such as ca, x509, req and genrsa etc., if those man pages are installed
> ;)  If you want full blown PKI consider the above commands the
> generation of your root certificate (change the days of course), iterate
> through it again replacing file names to the new certfile and the
> -signkey directive to the original root cert key.

Looks like this plus edits of openssl.cnf given by Calvin Dodge did the 
trick. I used the above commands after editing the cnf file, adjusted 
for new directory structure in FC4, and it works :)

Now I have a new question about self-signed certs used on machines that 
do not have reverse DNS lookup...e.g., if I access my apache server via 
https://localhost or https://some_name_in_etc_hosts, where locahost and 
some_name_in_etc_hosts is not visible to the outside world. Is it 
possible to remove this error via a system configuration setting in 
combination with a CommonName such as localhost or So far I 
don't seem to be able to get my service httpd restart to avoid that 
warning...not exactly important, but it seems like one of those details 
I'd rather not quit early on if there is a solution (on the other hand, 
could be that having real DNS lookup for the name is the only way to do it).

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list