hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Beginners Section
u533m3n0t
May 5 2005, 07:23 AM
Hello ladies and gents,
I'm pretty new to playing with Apache. I have it running side by side with IIS under Windows 2K Server. I downloaded the latest version of OpenSSL 0.9.7g and am installing under Apache version 2.0.54. Unfortunately, when I try to generate a cert, I get the error that "/usr/local/ssl/openssl.cnf is not found" The install didn't generate any ".cnf" files. Any thoughts?
withdraw
May 5 2005, 09:51 AM
http://tud.at/programm/apache-ssl-win32-howto.php3

QUOTE
You'll need a config file for OpenSSL.exe. Here is one (right-click on it and "Save as..."). (There is an openssl.cnf in the distribution with different wording of some questions, but it should do it, too.) Copy it to the directory openssl.exe is in.
(This is a normal text file. It is really called so; however, some Windows versions insist on hiding the extension from you. You can edit it with Windows notepad or a good editor, but it shouldn't be necessary.)


QUOTE
openssl req -config openssl.cnf -new -out my-server.csr
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key
This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in my-server.cert -out my-server.der.crt -outform DER

Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.
u533m3n0t
May 5 2005, 11:03 AM
Thanks! Will try it out and let you know how it goes. I had been to that site earlier and thus far have printed off about 100+ pages of documentation from various googles I did to try to get this up and going. I must've missed that part about the download of the cnf file. Thanks again.
u533m3n0t
May 5 2005, 03:09 PM
Alrighty....Got the cnf file installed, and configured the httpd.conf file to recognize it, went to generate my key and my Apache tells me it needs something referred to as ".\crypto\bio\bss_file.c" Of course it can't find the accursed thing. Apache is running under Windows, and if I'm correct, that bit is specific to Linux. I'll upload a screen shot which shows the command lines entered and responses given. I'm going bald from pulling my hair out over this one...

Trying to create a key called Subversion, and failing miserably. At this point, the window near the server room is starting to look like an appealing solution to this problem...not for me, for the computer. laugh.gif

u533m3n0t
May 6 2005, 01:52 PM
Got everything all sorted out now. Just had to do major googling, and got a smarter gent than myself to help me out as well as the useful info from withdraw. If anyone is considering running IIS beside Apache, my advise is just plain "don't." You have to tweak the httpd.conf file a million different ways before it actually works. If anyone is interested in the actual file (Minus the IP info, etc.), just IM me.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.