free SSL cert for iplanet webserver?

[Philip Brown]

Can anyone point to a step-by-step howto guide, for generating an SSL
cert for iplanet/netscape webserver, for free?

(Or a CA out there somewhere that gives out certs for free?)

I'm bumbling around with the usual openssl commands, but I'm hitting a
wall every way I turn.

[Thomas H Jones II]

In article <bf505c49.0307251043.6bba6c4a@posting.google.com >,
Philip Brown <phil.googlenews@bolthole.com> wrote:

>Can anyone point to a step-by-step howto guide, for generating an SSL
>cert for iplanet/netscape webserver, for free?
>
>(Or a CA out there somewhere that gives out certs for free?)
>
>I'm bumbling around with the usual openssl commands, but I'm hitting a
>wall every way I turn.

Take a look at step #11 at [url]http://penguin.epfl.ch/chroot.html#h3-ssl[/url]

-tom

--

"You can only be -so- accurate with a claw-hammer." --me

[Oscar del Rio]

"Thomas H Jones II" <ferric@xanthia.com> wrote

> Philip Brown <phil.googlenews@bolthole.com> wrote:

> >Can anyone point to a step-by-step howto guide, for generating an SSL
> >cert for iplanet/netscape webserver, for free?
> >
> >(Or a CA out there somewhere that gives out certs for free?)
> >
> >I'm bumbling around with the usual openssl commands, but I'm hitting a
> >wall every way I turn.

>
> Take a look at step #11 at [url]http://penguin.epfl.ch/chroot.html#h3-ssl[/url]

I bet Phil already knows how to make self-signed certs, although he did
not give any details of what he has done.

Most, if not all, Iplanet/Netscape products store the CA certs in a file
called cert7.db, you have to import your ca.crt into this file.
Phil, can you give details of what you have done so far?
Getting a self-signed cert should not be any different than getting
a commercial one as long as the software (server & client) recognizes
the CA.

[Dave Uhring]

On Fri, 25 Jul 2003 11:43:20 -0700, Philip Brown wrote:

> Can anyone point to a step-by-step howto guide, for generating an SSL
> cert for iplanet/netscape webserver, for free?
>
> (Or a CA out there somewhere that gives out certs for free?)
>
> I'm bumbling around with the usual openssl commands, but I'm hitting a
> wall every way I turn.

There is a step-by-step procedure in one of the Linux guides:

[url]http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf[/url]

[Bob Hoekstra]

Philip Brown wrote:

> Can anyone point to a step-by-step howto guide, for generating an SSL
> cert for iplanet/netscape webserver, for free?
>
> (Or a CA out there somewhere that gives out certs for free?)
>
> I'm bumbling around with the usual openssl commands, but I'm hitting a
> wall every way I turn.

The best iunstruction set I know is on the modssl web site: start reading at
[url]http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24[/url] - actually, it is probably not a bad
idea to read the whole site as Ralf Engelschall really knows his onions :-)

No, as far as I know, no CA gives certs away. You will have to create your own CA for this
(it's part of the self-signing process). However, some CAs are cheaper than others.

Note that a self-signed certificate may be adequate for your requirements, but don't
expect the public to trust you: a certificate is only as trustworthy as the CA that signed it.

--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GO/! d- s++:+ a+ C++(++++) US++++$ UB++ U*++ P+++ L+++ E--- W+++ N++ w--- O-
M+ V- PS+ PE+ Y+ PGP t+ 5++ X R* tv+ b+ DI++ D G e(*) h++/-- r+++ y?
------END GEEK CODE BLOCK------

-----------------------------------------------------
Bob Hoekstra: APL & Unix Consultant
Telephone: +44 1483 771028
Mobile: +44 7710 562345
Email: [email]Bob.Hoekstra@HoekstraSystems.ltd.uk[/email]
-----------------------------------------------------

[Kjetil Torgrim Homme]

[Bob Hoekstra]:

>
> No, as far as I know, no CA gives certs away. You will have to
> create your own CA for this (it's part of the self-signing
> process). However, some CAs are cheaper than others.

[url]http://www.barmala.com/CA/[/url]

it's probably not included in the default CA list of major browsers,
though.

--
Kjetil T. | read and make up your own mind
| [url]http://www.cactus48.com/truth.html[/url]

[Oscar del Rio]

> > No, as far as I know, no CA gives certs away. You will have to

> > create your own CA for this (it's part of the self-signing
> > process). However, some CAs are cheaper than others.

>
> [url]http://www.barmala.com/CA/[/url]
>
> it's probably not included in the default CA list of major browsers,
> though.

What's the point then? Anyone can be a CA, all you need is to
install openssl. Hey, I can sell you cheap certs for say $20 and
valid for 20 years! ;-)

[Bob Hoekstra]

Oscar del Rio wrote:

>>> No, as far as I know, no CA gives certs away. You will have to
>>> create your own CA for this (it's part of the self-signing
>>> process). However, some CAs are cheaper than others.

>>
>>[url]http://www.barmala.com/CA/[/url]
>>
>>it's probably not included in the default CA list of major browsers,
>>though.

>
>
> What's the point then? Anyone can be a CA, all you need is to
> install openssl. Hey, I can sell you cheap certs for say $20 and
> valid for 20 years! ;-)

You hit the nail smack on the head. This is the point I was making when I said in my
previous post:
"Note that a self-signed certificate may be adequate
for your requirements, but don't expect the public
to trust you: a certificate is only as trustworthy
as the CA that signed it."

Before someone picks this up, I should probably point out that my other company
([url]http://www.novawebhosting.net/[/url]) has a reseller agreement with GeoTrust. You won't find it
offered as a product for sale, as we have only offered it as a service to our existing
customers rather than a profit making venture in its own right. Maybe we should rethink
this, as it appears from this post that there is a need...

--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GO/! d- s++:+ a+ C++(++++) US++++$ UB++ U*++ P+++ L+++ E--- W+++ N++ w--- O-
M+ V- PS+ PE+ Y+ PGP t+ 5++ X R* tv+ b+ DI++ D G e(*) h++/-- r+++ y?
------END GEEK CODE BLOCK------

-----------------------------------------------------
Bob Hoekstra: APL & Unix Consultant
Telephone: +44 1483 771028
Mobile: +44 7710 562345
Email: [email]Bob.Hoekstra@HoekstraSystems.ltd.uk[/email]
-----------------------------------------------------

[Kjetil Torgrim Homme]

[Oscar del Rio]:

>

> > [url]http://www.barmala.com/CA/[/url]
> >
> > it's probably not included in the default CA list of major browsers,
> > though.

>
> What's the point then? Anyone can be a CA, all you need is to
> install openssl. Hey, I can sell you cheap certs for say $20 and
> valid for 20 years! ;-)

they might be included by some in the future, whereas the chance of
your own CA being included is nil, and it's less hassle for a user (or
more likely, sysadmin) to install one such CA than to include CA certs
for all the self-signed web sites out there.

--
Kjetil T. | read and make up your own mind
| [url]http://www.cactus48.com/truth.html[/url]

[Philip Brown]

On Sat, 26 Jul 2003 18:12:21 +0100, [email]Bob.Hoekstra@HoekstraSystems.ltd.uk[/email] wrote:

>Philip Brown wrote:

>> Can anyone point to a step-by-step howto guide, for generating an SSL
>> cert for iplanet/netscape webserver, for free?
>> ...

>
>The best iunstruction set I know is on the modssl web site: start reading at
>[url]http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24[/url] - actually, it is probably not a bad
>idea to read the whole site as Ralf Engelschall really knows his onions :-)

But that's for apache. iplanet is more irritating.

It turns out, the magic was to use the iplanet mechanism for requesting a
cert from a CA. Select the "email" option, and email yoursenf the cert
request.

You then can save that email as a file, (or just cut-n-paste the cert
request bit), go make your own CA with ssl/misc/CA.sh, and then do the
whole official convert-request-to-new-cert thing.

(copy the request to "newreq.pem", run
CA.sh -sign
then take "newcert.pem" as the result, if I remember what I did now)



Going from my memory, you dont have to do that with apache. You can just
generate a cert with the appropriate "common name" directly from openssl,
and you can then drop that into the appropriate key file for apache.
iplanet is not so flexible. It wont accept a cert to use for the server,
unless it came as a reply to a specific cert request, it seems.


(Happily, you do not have to specify the CA you are sending the request
to, when you generate the request through the iplanet admin server)



--
[url]http://www.blastwave.org/[/url] for solaris pre-packaged binaries with pkg-get
Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]
S.1618 [url]http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D[/url]
[url]http://www.spamlaws.com/state/ca1.html[/url]

[Philip Brown]

On Sat, 26 Jul 2003 20:30:46 +0200, [email]kjetilho@yksi.ifi.uio.no[/email] wrote:

>[Bob Hoekstra]:

>>
>> No, as far as I know, no CA gives certs away. You will have to
>> create your own CA for this (it's part of the self-signing
>> process). However, some CAs are cheaper than others.

>
>[url]http://www.barmala.com/CA/[/url]
>
>it's probably not included in the default CA list of major browsers,
>though.

cool. thanks.



--
[url]http://www.blastwave.org/[/url] for solaris pre-packaged binaries with pkg-get
Organized by the author of pkg-get
[Trim the no-bots from my address to reply to me by email!]
S.1618 [url]http://thomas.loc.gov/cgi-bin/bdquery/z?d105:SN01618:@@@D[/url]
[url]http://www.spamlaws.com/state/ca1.html[/url]