Forum
SSL Codesigning / Certificates general
Thorsten
3 April 2013, 15:00
Hello!
I'm trying to replace my Apache by Hiawatha but I'm struggling with the certificates. By now, I created a CA certificate and 3 other certificates which where signed using the CA.
- one for the server
- one for code signing
- one for the client
So far I could get the server-part running. But code signing doesn't work so far. Unfortunately Hiawatha seems to use certificates in a different way than apache and I'm not very used to this topic.
Thats the way if have created the certificates so far:
The CA
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 365 \
-subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_LOCATION/O=$CA_ORGANIZATION/CN=$CA_COMMON" \
-passin file:sslpass -passout file:sslpass
The Server:
openssl req -newkey rsa:2048 -keyout server.key -out server.req \
-subj "/C=$SSL_SERVER_COUNTRY/ST=$SSL_SERVER_STATE/L=$SSL_SERVER_LOCATION/O=$SSL_SERVER_ORGANIZATION/CN=$SERVER_COMMON" \
-passin file:sslpass -passout file:sslpass
# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in server.req -out server.crt \
-passin file:sslpass -batch
Codesigning and Client is the same but have different filenames.
Then I use them the standard way in apache. In http.conf:
SSLCACertificateFile __CERTS_PATH__/ca.crt
SSLCertificateFile __CERTS_PATH__/server.crt
SSLCertificateKeyFile __CERTS_PATH__/server.key
Codesigning happens via this command:
openssl cms -sign -binary -noattr \
-certfile ca.crt \
-outform DER \
-signer codesign.crt \
-inkey codesign.key \
-in $HTTP_PATH/filename \
-out $HTTP_PATH/filename.sig
I need the *.crt and *.key files for third party software.
Last I need the files ca.crt \ client.crt \ client.key to build software including the Client certificate.
I tried adding the ca.crt to serverkey.pem (using cat ca.crt >> serverkey.pem)
but without success.
Hope you can help me using this certificates in Hiawatha.
Thank you in advance.
Thorsten
Hiawatha version: 9.0
Operating System: Ubuntu 12.10
I'm trying to replace my Apache by Hiawatha but I'm struggling with the certificates. By now, I created a CA certificate and 3 other certificates which where signed using the CA.
- one for the server
- one for code signing
- one for the client
So far I could get the server-part running. But code signing doesn't work so far. Unfortunately Hiawatha seems to use certificates in a different way than apache and I'm not very used to this topic.
Thats the way if have created the certificates so far:
The CA
openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 365 \
-subj "/C=$CA_COUNTRY/ST=$CA_STATE/L=$CA_LOCATION/O=$CA_ORGANIZATION/CN=$CA_COMMON" \
-passin file:sslpass -passout file:sslpass
The Server:
openssl req -newkey rsa:2048 -keyout server.key -out server.req \
-subj "/C=$SSL_SERVER_COUNTRY/ST=$SSL_SERVER_STATE/L=$SSL_SERVER_LOCATION/O=$SSL_SERVER_ORGANIZATION/CN=$SERVER_COMMON" \
-passin file:sslpass -passout file:sslpass
# SIGN Certificate using CA Certificate
openssl ca -config ca.cnf -in server.req -out server.crt \
-passin file:sslpass -batch
Codesigning and Client is the same but have different filenames.
Then I use them the standard way in apache. In http.conf:
SSLCACertificateFile __CERTS_PATH__/ca.crt
SSLCertificateFile __CERTS_PATH__/server.crt
SSLCertificateKeyFile __CERTS_PATH__/server.key
Codesigning happens via this command:
openssl cms -sign -binary -noattr \
-certfile ca.crt \
-outform DER \
-signer codesign.crt \
-inkey codesign.key \
-in $HTTP_PATH/filename \
-out $HTTP_PATH/filename.sig
I need the *.crt and *.key files for third party software.
Last I need the files ca.crt \ client.crt \ client.key to build software including the Client certificate.
I tried adding the ca.crt to serverkey.pem (using cat ca.crt >> serverkey.pem)
but without success.
Hope you can help me using this certificates in Hiawatha.
Thank you in advance.
Thorsten
Hiawatha version: 9.0
Operating System: Ubuntu 12.10
Thorsten
3 April 2013, 17:15
Pls delete, I've solved the problems.
It's simply copying and "cating" the crt and key files.
Regards,
Thorsten
It's simply copying and "cating" the crt and key files.
Regards,
Thorsten
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
