[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Moving SSL to Raq3
- Subject: Re: [cobalt-users] Moving SSL to Raq3
- From: "Paul Harvey" <paul@xxxxxxxxxxxxx>
- Date: Thu Oct 4 15:49:27 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Yes. I took a copy of all the files in the certs directory. Set up the
website on a different machine. Pointed the DNS to the new IP address.
Copied the certs to the new setup. Engaged SSL on the GUI and all works
fine. It did not seem to matter that it was on a new IP address. Cert
used was from Thwarte
I have seen some of the posts here and others have had problems. Can't tell
you why mine worked and others did not.
----- Original Message -----
From: "David Thurman" <dthurman@xxxxxxxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, October 04, 2001 1:59 PM
Subject: Re: [cobalt-users] Moving SSL to Raq3
> on 10-4-01 12:32 AM, flash22@xxxxxxx at flash22@xxxxxxx was reported to
have
> made a statement that said this:
>
> <snip>
> >>>> Has anyone successfully moved a current certificate from one server
to a
> >>>> Raq3 if possible and gotten it to work.
>
> >>> The cert is keyed specifically to the machine it's generated for
> >>> and won't work anywhere else. Wish I had better news for you I called
>
> Verisign on this and they stated that you could move a cert from apache to
> apache, he even stated that if you had a win box with apache you may be
able
> to import that as well.
>
> > for the cost of a new cert ;)
>
> I am trying to hold off till the last moment:(
> >
> > The real problem here is, you need the private key used to generate the
> > certificate signing request data that was sent to the CA to get the
> > certificate, the resulting public key (The 'cert') is the public key
that
> > matches the private key on the server.
> >
> > When you move a key to a new server, you need BOTH parts, chances are
tho,
> > their old isp won't give you that , and the customer doesn't have it
> > either, because they never had it, at best they got the CSR.
> Well actually I was able to get into their server and grab all the cert
> parts:) Their boxes are so insecure you would sh*t. I went to the apache's
> cert root and downloaded them. They are in fine condition. You are correct
> on what they will give the client. What they sent me was only the cert and
> the request. Glad I grabbed them.
> >
> > If you do get it, you still need it to match the server type, and the
> > server has to support the encryption type used to encode the keys unless
> > they are stripped (eg no password is encoded in the private key)
> >
> > if you can do all that, you can make it work, but you will have to sneak
> > by the raq's interface to stick the private key in, normally you create
> > that on the server, in this case you need to use one that already
> > exists...
> Okay I actually did this. I had the key, the request and the certificate.
> They where name www.domain.com.key - www.domain.com.crs -
www.domain.com.crt
> I put them on the server and moved them to the cert dir for the accounts
web
> root. I then proceeded to rename them per the way Cobalt does. Key,
request
> and certificate. I reset the chmod to rw -rw - and made sure they were
> root and site#, I was su'd so I could perform this great fun. When I view
> the SSL in the sites GUI I see the info filled in proper. I even restarted
> apache. Now that I think about it I didn't restart the SSL apache, but
that
> shouldn't necessary should it?? When I go to view the site, I see the self
> signed cert I have for the Raq's admin domain. They are on different IP's.
> I remember seeing others having trouble getting a cert to be recognized
and
> wonder if I am missing something?? By all rights it should work. I mean we
> are talking about an apache/linux box. I know cobalt is a little bit of a
> bully on doing things but, well help!!
> >
> > ps: One other gotcha, the CA's require a contact person with the Cert
that
> > is often set to someone@isp, if you are moving the domain , this
changes,
> > and technically, you are required to get a new certificate to reflect
> > this...(It has no functional signifigance however, just legal ;)
> Well I can understand that. Thing is the client has 5 months left on the
> cert so I wanted to hold off a little on this.
> >
> > gsh
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
> --
> Thank you,
> David E Thurman
> Web Presence Group
> 309.676.5688
> dthurman@xxxxxxxxxxxxxxxxxxxx
> http://www.webpresencegroup.net
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>