ZServerSSL and Certificates

[Sean]

Hi,

I have been able to get ZServerSSL to work with the demo certs, and
with some self generated. However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA.

What I'd like to find is some really clear documentation on
ZServerSSL. What I have had to do is to try and interpret between the
general SSL certificate information sites and the ZServerSSL package.

What I did this last go-around was to snag CA.pl and visit
https://www.entrust.com/freecerts/ag_server_req.cfm

Step 3 requires a server certificate request (PKCS#10 request)

Here's what I did:

# openssl -des3 -out privatekey 1024
# ./CA.pl -newreq

Which gave me newreq.pem, so I cut the text between the markers and
pasted it into the box, and submitted it.

Then I get two files back from the web site.

I believe that the first is the server cert, the second a ca cert.

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.

Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem

and I combine the server cert and newkey.pem and call it server.pem.

I stop & restart the server, I get no errors from ZServerSSL.

However, when I try and access the site I get:

Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.

Mozilla diaplays a panel warning that there are three potential
problems.

In either case if I ignore the warnings I get a secure connection.

I need to understand what I'm doing wrong here.

Please enlighten me!

 

[Ng Pheng Siong]

However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA.

Ahem, please read this sentence aloud to yourself. Does it sound like a
good idea?

# openssl -des3 -out privatekey 1024
# ./CA.pl -newreq

You mean 'openssl rsa ...' Anyways it is a no-op, given your second
command; i.e., 'CA.pl -newreq' generates a key pair.

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.
Why?

# ./CA.pl -sign

This _signs_ your certificate request. Given that you've already gotten
your certificate request signed by a 3rd party CA, this step is
superfluous.

# openssl rsa < newreq.pem > newkey.pem
and I combine the server cert and newkey.pem and call it server.pem.

Yup this is fine provided your newreq.pem contains your private key.

Microsoft IE6 first shows a request for a cert to use,

This sounds like the server is asking for a client cert. Have you
configured your ZServerSSL to do so? I think the server doesn't do that by
default.

I click OK to
bypass it then a warning dialog that the ca is not trusted.

Is the 3rd party CA's cert installed into your IE6?

Mozilla diaplays a panel warning that there are three potential
problems.

What are the error messages?

In either case if I ignore the warnings I get a secure connection.

You get a HTTPS connection. You are connecting to a site (well, your own,
in this case) which certificate's CA your browser does not trust.
"Secure" is a loaded word. ;-)

I need to understand what I'm doing wrong here.

Read up more on how X.509 certificates are structured and on how SSL uses
them.

Then go install one or more other SSL server products. Follow their
instructions on installing certificates. Once you see how different
software packages do the same things it should become clearer to you. Try
Apache + mod_ssl or AOLserver, say. Don't choose one where you configure
the stuff using Windows or web-based pointy-and-clicky interfaces - you
won't learn much that way.

HTH.

 

[Josef Meile]

Hi Sean,

Hi,

I have been able to get ZServerSSL to work with the demo certs, and
with some self generated. However I'm really not clear on
certificates in general, and we're about to try it with real certs
from a real CA.

I'm not a guru either, but I guess I know what your problem is. By the
way, if I were you, I would try to use apache+mod_ssl+mod_rewrite
instead of m2crypto. I have heard apache is faster than the later and
you won't have ZServer exposed to the world. If you want more info about
this, search the zope mailing list on list.zope.org.

What I did this last go-around was to snag CA.pl and visit
https://www.entrust.com/freecerts/ag_server_req.cfm

I haven't tried it, but it looks good.

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.

Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem

and I combine the server cert and newkey.pem and call it server.pem.

I think more or less that's why I did.

However, when I try and access the site I get:

Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.

Mozilla diaplays a panel warning that there are three potential
problems.

In either case if I ignore the warnings I get a secure connection.

I need to understand what I'm doing wrong here.

Perhaps the Common Name (CA) of your cert isn't the same as the url of
your website. Check this on the cert properties on the certificate
manager of Mozilla.

Other problem could be that "entrust.com" isn't listed as Trusted Root
Certification Authority (Look on the certificate manager of mozila or
IE). I only found "entrust.net". I guess the certificates generated by
this website aren't intended for business. I think that if you want your
certificate to be sign by some well known CA, you have to pay. Anyway,
the warning is not bad. It depends on your needs.

Regards,
Josef

 

[=?ISO-8859-1?Q?Michael_Str=F6der?=]

So I take privatekey.pem and the ca cert and combine them into a
single file called ca.pem.

Why? The server's private key has nothing to do with the CA certificate.

Then I:

# ./CA.pl -sign
# openssl rsa < newreq.pem > newkey.pem

Nope. You don't have to issue a new cert.

and I combine the server cert and newkey.pem and call it server.pem.

You issued another server cert without need for doing so.

Microsoft IE6 first shows a request for a cert to use, I click OK to
bypass it then a warning dialog that the ca is not trusted.

Yes. Since you installed your privately generated server cert instead of the
server cert issued by the CA.

Simply use the server cert you got back from the CA.

Ciao, Michael.

 

[Sean]

(e-mail address removed) (Sean) wrote in message Thanks to all of those who helped! We've applied for our cert.

I still have a lot of learning to do, but here's the summary:

1) Generate a new request/key pair

# CA.pl -newreq

2) send newreq.pem to the website

3) get the server cert & save as server.pem

4) get the rsa private key

# openssl rsa < newreq.pem > newkey.pem

5) append newkey.pem to server.pem

6) get the ca cert and save as ca.pem

7) copy ca.pem and server.pem to the ssl directory.

So far so good!