Loading FAQ +32 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,9 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does <SSL program> fail with a certificate verify error? * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * Why can't the OpenSSH configure script detect OpenSSL? Loading Loading @@ -156,6 +159,7 @@ on how to obtain and install the free GNU C compiler. A number of Linux and *BSD distributions include OpenSSL. * I've compiled a program under Windows and it crashes: why? This is usually because you've missed the comment in INSTALL.W32. You Loading Loading @@ -191,6 +195,34 @@ This is because it can't find the configuration file. Check out the DIAGNOSTICS section of req(1) for more information. * Why does <SSL program> fail with a certificate verify error? This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information. * How can I create DSA certificates? Check the CA.pl(1) manual page for a DSA certificate example. * Why can't I make an SSL connection to a server using a DSA certificate? Typically you'll see a message saying there are no shared ciphers when the same setup works fine with an RSA certificate. There are two possible causes. The client may not support connections to DSA servers most web browsers only support connections to servers supporting RSA cipher suites. The other cause is that a set of DH parameters has not been supplied to the server. DH parameters can be created with the dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: check the source to s_server in apps/s_server.c for an example. * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script Loading doc/apps/CA.pl.pod +29 −0 Original line number Diff line number Diff line Loading @@ -102,6 +102,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" =head1 DSA CERTIFICATES Although the B<CA.pl> creates RSA CAs and requests it is still possible to use it with DSA certificates and requests using the L<req(1)|req(1)> command directly. The following example shows the steps that would typically be taken. Create some DSA parameters: openssl dsaparam -out dsap.pem 1024 Create a DSA CA certificate and private key: openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem Create the CA directories and files: CA.pl -newca enter cacert.pem when prompted for the CA file name. Create a DSA certificate request and privat key (a different set of parameters can optionally be created first): openssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: CA.pl -signreq =head1 NOTES Most of the filenames mentioned can be modified by editing the B<CA.pl> script. Loading Loading
FAQ +32 −0 Original line number Diff line number Diff line Loading @@ -13,6 +13,9 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does <SSL program> fail with a certificate verify error? * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * Why can't the OpenSSH configure script detect OpenSSL? Loading Loading @@ -156,6 +159,7 @@ on how to obtain and install the free GNU C compiler. A number of Linux and *BSD distributions include OpenSSL. * I've compiled a program under Windows and it crashes: why? This is usually because you've missed the comment in INSTALL.W32. You Loading Loading @@ -191,6 +195,34 @@ This is because it can't find the configuration file. Check out the DIAGNOSTICS section of req(1) for more information. * Why does <SSL program> fail with a certificate verify error? This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information. * How can I create DSA certificates? Check the CA.pl(1) manual page for a DSA certificate example. * Why can't I make an SSL connection to a server using a DSA certificate? Typically you'll see a message saying there are no shared ciphers when the same setup works fine with an RSA certificate. There are two possible causes. The client may not support connections to DSA servers most web browsers only support connections to servers supporting RSA cipher suites. The other cause is that a set of DH parameters has not been supplied to the server. DH parameters can be created with the dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: check the source to s_server in apps/s_server.c for an example. * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script Loading
doc/apps/CA.pl.pod +29 −0 Original line number Diff line number Diff line Loading @@ -102,6 +102,35 @@ the request and finally create a PKCS#12 file containing it. CA.pl -signreq CA.pl -pkcs12 "My Test Certificate" =head1 DSA CERTIFICATES Although the B<CA.pl> creates RSA CAs and requests it is still possible to use it with DSA certificates and requests using the L<req(1)|req(1)> command directly. The following example shows the steps that would typically be taken. Create some DSA parameters: openssl dsaparam -out dsap.pem 1024 Create a DSA CA certificate and private key: openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem Create the CA directories and files: CA.pl -newca enter cacert.pem when prompted for the CA file name. Create a DSA certificate request and privat key (a different set of parameters can optionally be created first): openssl req -out newreq.pem -newkey dsa:dsap.pem Sign the request: CA.pl -signreq =head1 NOTES Most of the filenames mentioned can be modified by editing the B<CA.pl> script. Loading
