[Date Prev][Date Next]
Re: Getting SSL/TSL to work
-----BEGIN PGP SIGNED MESSAGE-----
Je Sabato Marto 12 2005 15:38, vi skribis:
> I don't know OpenSSL well so I'm guessing a bit here, but --
> > I'm not getting anyone to issue a certificate for my server (I can't
> > pay it, it's not important yet), so, I'm making self-signed
> > certificates.
> I have no idea if that works, nor if TLSCACertificateFile should be
> absent or refer to that certificate. Anyway, try a self-signed CA
> certificate instead, and sign the server certificate with that. That
> works for us.
Well, how do you do that ? (I thought I was doing that).
> > Common Name (eg, YOUR name) :master.pupeno.com
> > (...)
> > I was told that the DN must match my server's, but I'm not sure how to
> > achieve that.
> It's the Common Name above which must match your server name. And you
> must connect the server using that name, not e.g. with the IP address or
> just 'master' or 'localhost', otherwhise the client should refuse the
> connection due to server name mismatch. If your server has several
> names which clients might use, e.g. also a CNAME ldap.pupeno.com, you
> can put the alternate names in the X509v3 extension subjectAltName
> (X509v3 Subject Alternative Name).
Oh, ok, thanks. I'll configure my clients to access the server by that name,
once the server it's running.
> Hide the certificate key at once, at least. No good to hide it tomorrow
> if someone copies it today.
Once I find a method that works, I'll remove all the certificates and re-do
it, cleanely, from scratch, keeping security in mind.
Pupeno: email@example.com - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----