Newbie: Apache & self signed certificates

Hello -

I'm a newbie, so please bear with me if I ask dumb questions. I want
to
set up an https connection between my web server & its clients. I
created my
own certificates and setup apache but when a client browser connects
with
https://mydomain.com, a window pops up 'Website Certified by Unknown
Authority" and I'm
prompted on whether to accept the certificate. I must have done
something wrong,
but I'm stumped. Any suggestions would be appreciated. Below are my
steps.

# Create Root CA certificate/key
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
(CN used was ROOT CA)

# Produce CSR for server
openssl req -newkey rsa:1024 -keyout /opt/testkey.pem -keyform PEM -
out testreq.pem -outform PEM -nodes
(CN used was mydomain.com)

# Have CA sign CSR
openssl ca -in testreq.pem -out /opt/server.pem

# Set up apache to point to servers certificate & key
# Section from HTTPD.CONF
<VirtualHost 10.x.x.x:443>
ServerAdmin admin@mydomain.com
ServerName mydomain.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine On
SSLCertificateFile /opt/server.pem
SSLCertificateKeyFile /opt/testkey.pem
</VirtualHost>

# Convert the server certificate into a form for browers
openssl pkcs12 -export -clcerts -in /opt/server.pem -inkey /opt/
testkey.pem -out client.p12

# Import p12 file into browser on client

Another questions . . .I have multiple web servers hosting the same
pages. (mydomain.com, mydomain1.com, mydomain2.com
etc). Is there something generic I can do so I don't need to create
certificates/keys for each server?

Thanks!
Matt

On Thu, 14 Feb 2008 06:52:52 -0800 (PST),
Matthew <matthewmillermm@gmail.com>, in
<7c9be0b5-e5d9-40fd-88d9-5e7e634e626c@d68g2000hsg.googlegroups.com> wrote:

>+ I created my own certificates and setup apache but when a client
>+ browser connects with https://mydomain.com, a window pops up 'Website
>+ Certified by Unknown Authority" and I'm prompted on whether to accept
>+ the certificate. I must have done something wrong

No, that's expected behaviour. Unless your certificate is signed by a
browser-recognized certificate authority -- Thawte, VeriSign, etc --
you'll get a warning as you describe. Since you are self-signing your
certs, you'll get that warning.

Two ways to approach this "problem".

1. Provide the finger prints to your users, so that they can verify
the certificate that triggers the above warning dialog and then
accept the certificate as trusted.

2. Provide your signing certifcate authority for your users to install
into their browser. After this, upon encountering your certificate
the browser will silently accept it as being trusted.

This will help if you choose to pursue option 2:

http://www.davidpashley.com/articles...authority.html

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

"Matthew" <matthewmillermm@gmail.com> wrote in message
news:7c9be0b5-e5d9-40fd-88d9-5e7e634e626c@d68g2000hsg.googlegroups.com...
> Hello -
>
> I'm a newbie, so please bear with me if I ask dumb questions. I want
> to
> set up an https connection between my web server & its clients. I
> created my
> own certificates and setup apache but when a client browser connects
> with
> https://mydomain.com, a window pops up 'Website Certified by Unknown
> Authority" and I'm
> prompted on whether to accept the certificate. I must have done
> something wrong,
> but I'm stumped. Any suggestions would be appreciated. Below are my
> steps.
>
> # Create Root CA certificate/key
> openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
> (CN used was ROOT CA)
>

Import the root ca certificate (ca.crt) into the client's browser as a
trusted root certification authority, that *should* get rid of the "'Website
Certified by Unknown Authority" warning.

On Feb 14, 10:03 am, "phantom" <nob...@blueyonder.invalid> wrote:
> "Matthew" <matthewmille...@gmail.com> wrote in message
>
> news:7c9be0b5-e5d9-40fd-88d9-5e7e634e626c@d68g2000hsg.googlegroups.com...
>
>
>
> > Hello -
>
> > I'm a newbie, so please bear with me if I ask dumb questions. I want
> > to
> > set up an https connection between my web server & its clients. I
> > created my
> > own certificates and setup apache but when a client browser connects
> > with
> >https://mydomain.com, a window pops up 'Website Certified by Unknown
> > Authority" and I'm
> > prompted on whether to accept the certificate. I must have done
> > something wrong,
> > but I'm stumped. Any suggestions would be appreciated. Below are my
> > steps.
>
> > # Create Root CA certificate/key
> > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
> > (CN used was ROOT CA)
>
> Import the root ca certificate (ca.crt) into the client's browser as a
> trusted root certification authority, that *should* get rid of the "'Website
> Certified by Unknown Authority" warning.


Thank you. I imported my root CA certificate into the clients browser
and the "Unknown Authority" warning went away. Groovy!!