The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Self signed cert in WHM

Discussion in 'General Discussion' started by blairp36, Apr 4, 2004.

  1. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I just generated and installed a self-signed ssl cert in WHM for my private site. Installed and works fine. Accepted the cert from my browser as trusted. When I looked at the cert it says it's only valid for 30 days. With a self-signed cert do I have to generate a new one every month? New to SSL so please forgive if this is a dumb question.

    Thanks for any input,
    John
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Same problem here , how to generate one for 1 or 2 years ?
     
  3. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    Hrmm, Same issue.. I never even noticed...
    I guess one of the following two files would need to be edited...
    gencrt or gencrt2
    I have not looked at them yet, but I am guessing you would need to ad
    -days 365

    to the bit that creates the CSR... Anyone done this?
     
  4. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Tried to 'locate' the files above... No luck. Where are they located?

    Thanks
     
  5. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    could be really USEFUL an option on WHM to set an expiration date for the self signed certificate.
     
  6. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    These files are located in the /scripts directory
     
  7. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Thanks,

    Found this line close to the end of 'gencert'.

    open3(\*SSL,\*CERT,">&WNULL","$ssl","req","-new","-x509","-key","../private/$host.key");

    Not sure if I should change anything... The openSSL command would be:

    $ openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt

    Not sure where to put the -days.

    Any ideas?
     
  8. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    I am pretty sure it would go anywhere on that line. Test it and see! :) Let us know how it works.
    I have submitted a feature request for this to be an option when generating the certs and installing.. Will see what they say.
     
  9. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I tried to add "-days 1095" . Apparently it works , but really it doesn't work , since openssl is not able to create the crt .
     
  10. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I think I found it...

    The default of 30 days is in the OpenSSL config. file (I think).

    Located in: /usr/share/ssl/openssl.cnf

    ####################################################################
    [ ca ]
    default_ca = CA_default # The default ca section

    ####################################################################
    [ CA_default ]

    dir = /opt/openssl # Where everything is kept
    certs = $dir/certs # Where the issued certs are kept
    crl_dir = $dir/crl # Where the issued crl are kept
    database = $dir/index.txt # database index file.
    new_certs_dir = $dir/newcerts # default place for new certs.

    certificate = $dir/private/CAcert.pem # The CA certificate
    serial = $dir/serial # The current serial number
    crl = $dir/clr/crl.pem # The current CRL
    private_key = $dir/private/CAkey.pem # The private key
    RANDFILE = $dir/private/.rand # private random number file

    x509_extensions = x509v3_extensions # The extentions to add to the cert
    default_days = 365 # how long to certify for
    default_crl_days= 30 # how long before next CRL
    default_md = md5 # which md to use.
    preserve = no # keep passed DN ordering

    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :)
    policy = policy_match
     
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    I changed 30 with 365 but a new 30 days certificate has been created :(
     
  12. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    Yer, I think it will need to go in the gencrt script..
     
  13. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Here is a proper call for Self-signed cert.

    ssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
     
    #13 blairp36, May 11, 2004
    Last edited: May 11, 2004
  14. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Here is what I'm trying now...

    This is the call at the bottom of the gencert script that makes the cert:

    open3(\*SSL,\*CERT,">&WNULL","$ssl","req","-new","-x509","-key","../private/$host.key");

    Changing to:

    open3(\*SSL,\*CERT,">&WNULL","$ssl","req","-new","-x509","-key","../private/$host.key",”-days 365”);
     
  15. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    it didn't work for me .
     
  16. blairp36

    blairp36 Active Member

    Joined:
    Apr 17, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I give up... Just made a self-signed cert the old fashioned way.

    :mad:
     
Loading...

Share This Page