[COLUG] Tomcat vs. OpenSSL CA?

Vincent Herried vince at planetvince.info
Mon Feb 18 22:42:17 EST 2008 

On Monday 18 February 2008 03:07:43 pm Josh wrote:
> ...the resulting CSR does not include the email address.  OpenSSL refuses
> to sign a CSR that does not have an email address.  I've looked around for
> a bit to find out how to add the email address (and how to get OpenSSL to
> ignore tha lack of an email address) to no avail.
>
> Has anyone done this? 

In fedora there is a make file that generates the openssl commands.
it is located in /etc/pki/tls/certs

btw I also found out that you must also generate a "hash"
and they must be in a specific location to work correctly for
some applications....  this web site helped  me
http://www.madboa.com/geek/openssl/
 
I GOT IT TO WORK, BUT DON'T KNOW DIDDLY ABOUT WHY  :-)

here is the Makefile:


-----------------Makefile-------------------------
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
	@echo "This makefile allows you to create:"
	@echo "  o public/private key pairs"
	@echo "  o SSL certificate signing requests (CSRs)"
	@echo "  o self-signed SSL test certificates"
	@echo
	@echo "To create a key pair, run \"make SOMETHING.key\"."
	@echo "To create a CSR, run \"make SOMETHING.csr\"."
	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
	@echo "To create a key and a test certificate in one file, run \"make 
SOMETHING.pem\"."
	@echo
	@echo "To create a key for use with Apache, run \"make genkey\"."
	@echo "To create a CSR for use with Apache, run \"make certreq\"."
	@echo "To create a test certificate for use with Apache, run \"make 
testcert\"."
	@echo
	@echo "To create a test certificate with serial number other than zero, add 
SERIAL=num"
	@echo
	@echo Examples:
	@echo "  make server.key"
	@echo "  make server.csr"
	@echo "  make server.crt"
	@echo "  make stunnel.pem"
	@echo "  make genkey"
	@echo "  make certreq"
	@echo "  make testcert"
	@echo "  make server.crt SERIAL=1"
	@echo "  make stunnel.pem SERIAL=2"
	@echo "  make testcert SERIAL=3"

%.pem:
	umask 77 ; \
	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout 
$$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
	cat $$PEM1 >  $@ ; \
	echo ""    >> $@ ; \
	cat $$PEM2 >> $@ ; \
	$(RM) $$PEM1 $$PEM2

%.key:
	umask 77 ; \
	/usr/bin/openssl genrsa -des3 1024 > $@

%.csr: %.key
	umask 77 ; \
	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@

%.crt: %.key
	umask 77 ; \
	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial 
$(SERIAL)

TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
	umask 77 ; \
	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
	umask 77 ; \
	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out 
$(CRT) -set_serial $(SERIAL)


-- 
my website is http://planetvince.info
v

More information about the colug432 mailing list