[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting SSL/TSL to work

Hash: SHA1

Je Sabato Marto 12 2005 15:38, vi skribis:
> I don't know OpenSSL well so I'm guessing a bit here, but --
> > I'm not getting anyone to issue a certificate for my server (I can't
> > pay it, it's not important yet), so, I'm making self-signed
> > certificates.
> I have no idea if that works, nor if TLSCACertificateFile should be
> absent or refer to that certificate.  Anyway, try a self-signed CA
> certificate instead, and sign the server certificate with that.  That
> works for us.

Well, how do you do that ? (I thought I was doing that).

> > Common Name (eg, YOUR name) []:master.pupeno.com
> > (...)
> > I was told that the DN must match my server's, but I'm not sure how to
> > achieve that.
> It's the Common Name above which must match your server name.  And you
> must connect the server using that name, not e.g. with the IP address or
> just 'master' or 'localhost', otherwhise the client should refuse the
> connection due to server name mismatch.  If your server has several
> names which clients might use, e.g. also a CNAME ldap.pupeno.com, you
> can put the alternate names in the X509v3 extension subjectAltName
> (X509v3 Subject Alternative Name).
Oh, ok, thanks. I'll configure my clients to access the server by that name,
once the server it's running.

> Hide the certificate key at once, at least.  No good to hide it tomorrow
> if someone copies it today.
Once I find a method that works, I'll remove all the certificates and re-do
it, cleanely, from scratch, keeping security in mind.

Thank you!
- --
Pupeno: pupeno@pupeno.com - http://pupeno.com
Reading Science Fiction ? http://sfreaders.com.ar
Version: GnuPG v1.2.6 (GNU/Linux)