openssl server

[algemy]

Hi,

Firstable, I am using BT5 on vmware in a standalone machine. I am trying to setup a SSL server to capture requests on port 443. I am using the following command -> "openssl s_server -accept 443 -www". However, I get an error indicating that it can't find the server.pem. I google how to create the certs, but it is not clear if the machine needs to have access to the internet or not in order to create the server.pem? I was able to create all other certs (privkey.pem, server.csr, etc) but not the server.pem. If BT5 needs to access the internet for this, is there any other way of creating that cert that won't required internet access?

[thorin]

Why haven't you simply tried creating server.pem without internet access?

I've never done it but I'm 90% sure you don't need internet access to generate the needed keys. However it seems fairly easy to come to 100% answer yourself.

[bambuka]

Hello,

Here you will find the answer =)

Have a nice Day

[algemy]

Thorin, I did try unsuscesfully. The following were the commands I used:
openssl req -config /etc/ssl/openssl.cnf -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
According to my notes, the first command should have created the privkey.pem, server.csr, and server.pem. It only created the first two but not the privkey.pem.

Bambuka, I'll check it out.

[thorin]

None of the commands you've list deal with server.pem so of course it hasn't been created you never told anything to create it.

It seems you have all the pieces that you need though.

server.csr -> Your certificate signing request
privkey.pem -> Your encrypted private key
server.key -> Your un-encrypted private key
server.crt -> Your certificate

I'm guessing that you didn't follow the instructions you started with exactly or that you're getting caught up in specific details from one instruction set or another that aren't identical to what you've done in the end. i.e.: You've looked at instruction sets A and B. In A you created privkey.pem and in B it refers to that as server.pem or something like that.....

[Gitsnik]

Code:

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

It's been a while since I generated a certificate so I looked this up (openssl x509 -help) - is it that hard to read the man page and discover that the file specified by "-out" is your generated certificate... and if you really wanted to get advanced that the switch "-outform" will give you an output format of your choosing... with a default of PEM... which, if you follow me here boys and girls, means that server.crt is actually a differently named server.pem, by virtue of being the specified output file with the default formatting.

There are manual pages. Read them. We all had to, to learn. If you pick up the habit now, it makes things a hell of a lot easier later on.

[algemy]

The link that bambuka provided, help to generate the server.pem. I got the SSL server setup by running the following command "openssl s_server -accept 443 -cert /etc/ssl/certs/server.pem -www". I had to specify the location of the server.pem certificate because it kept failing with some error indicating it couldn't find it, if I didn't.

Gitsnik, I did read the man files, and I knew that the "-out" indicated the certificate that was being generated. However, I couldn't find an explanation indicating what was needed to create this certificate ("xx.pem"). According to the documentation I mentioned above, indicated that the "pem" certificate is encrypted. Also, the manual pages don't tell that you need to generate some certificates or which ones are before you can use openssl as a server.

Thank you for your help