SLUG Mailing List Archives
Re: [SLUG] https - where to start ?
- To: Steven Kerr <linux.com@xxxxxxxxxxxx>
- Subject: Re: [SLUG] https - where to start ?
- From: Graeme Merrall <graeme@xxxxxxxxxxxxx>
- Date: Sat Oct 14 20:45:49 2000
- Cc: slug@xxxxxxxxxxx
- User-agent: Mutt/1.2.5i
On Sat, Oct 14, 2000 at 05:32:00PM +1000, Steven Kerr wrote:
> Good Afternoon.
> In some spare time I have coming up, I wish to explore the possibility
> of setting up a https server.
> Where would one actually start ? I don't wish to purchase commercial
> certificates etc, but just want to *play* with https
> I have started to use the RPM for apache-ssl-1.3.6_1.35-3.i386.rpm but
> am getting stuck with the private/public key sets.
> What other *things* do I need before I start playing ?
> Has anyone successfully gone down the path of building a https server
> from the above mentions RPM and if so do you have any
> comments/procedures that you would share ?
I prefer mod_ssl but anyway...
The first thing you need to do to actually start playing is create a private
key and a certificate. You'll need ssleay for this. There may well be
instructions for this with your RPM, it's been a while for me, otherwise
most certificate signing agenices like Verisign/Thawte will have
instructions on how to do it.
That will give you a start and get you up and runnign ta least, except your
browser will bith and moan about you not having a valid certificate.
Next, you want to play with becoming your own CA. That way you can create
your own root CA (I think that's the term) which you use to sign other
certificates with. Basically the procedure is that you create a setup where
you act as a CA (that's certificate authority BTW) and sign the certificate
you just produced. In order for your browser not to bitch and moan you can
install a doohickey (another certificate) whichi means the browser
recognises any certificates signed by you as valid. Netscape has suitable
paranoia when you do this so you know it's happening so users can't be
hoodwinked. I don't know about IE though.
Information on becoming your own CA is a little sketchy. The ssleay FAQ has
some info on it but I've always found the ssleay docs hard to get round.
A google search came up with:
Thwte offers to create a test cert with a short expiry time so you can
tinker. From memoey they do essentially the same as above where you install
a root CA thing into your browser which is testing and they sign a
certificate against it so you can't use your cert in the real world.
Oh yeah, it's openssl now isn't it?