Apache Friends Support Forum

[itsme33]

hi, i'm using xampp 1.8.2-6 all is going fine with apache, created certificate using the makecert.bat which comes in the apache folder then i got the server.crt and server.key sucessfully updated in the conf/ folder however:
1- the csr file server.csr still not updated at all, it see its date very long since March, is there something wrong with the creation of the certificate?
2- i have this server inside the local network, i can browse the server using https://office1 but there is red-mark and privacy issue shows that this is not in the CA root authority bla bla and https line cross which is also scary on Chrome says that privacy concern bla bla bla

- what i can do from the server side to make this appear as green, or at least not to warn the user that certificate is not assigned by trusted authority? is it essential to buy a certificate and pay money for that? or i can do something locally? please note that this server is internal only inside the office, not exposed to the internet, hence noway for chrome or other browser to check the certificate? not sure about t

- is it related to csr? to local server name? should be FQDN name? ip address?

any information in this regard will be highly appreciated


Mike

[gsmith]

The .csr is a Certificate Signing Request, open it up in Notepad and look, it says "CERTIFICATE REQUEST". It's used to either sign a self-signed certificate or you would create one and send it to a Certificate Authority [CA] (Verisign, Comodo, GoDaddy, ect.) for them to use to sign the certificate they issue you.

Why one is stored in xampp/apache/conf/ssl.csr I assume is a leftover of the days when Xampp maybe used the binaries from the ASF (apache.org), I seem to remember the installer doing just such a thing. The server does not use it and if you do not know the passphrase used to create it it's not worth a lot to you.

If you look at makecert.bat, it never touches it. Instead it creates a new one (Line 7) that it uses and later deletes (Line 14). The only 2 things you absolutely need are server.crt and server.key when using self-signed certificates as makecert.bat creates.

[itsme33]

thank you, perfect answer, that covered most of my concerns, so if i remove the old CSR as it is -as you said- not used at all, then where is the new one that i have to send to digisign...etc? i can't see other one that has my phrase that i put when created the certificate using the makecert.bat

btw makecert.bat i used the one comes with xampp 182 php 5431 but wasn't working first, then i opened it in notepat and edited the paths to /conf so it worked as supposed to


one last Q please, is there anyway for me to make this localhost internal office server appear green in the title bar, or https without X sign on it, or IE recognize it as safe/verified WITHOUT sending the certificate to one of those digisign versign godaddy..etc and pay for it, or this is essential..i followed the error found in https not-verified statement and says you have to put the certificate in the root authority store, so i did that on the server side and tried to put it everywhere in those certificate store using the mmc tutorial by Microsoft for windows 2008 R2 but nothing worked, and https still appear like not verified, so don't know if i have absolutely to send this out and pay money for it or i can do this myself somehow!? moreover, maybe because the office server is not exposed to the intenret it is e.g. office1.localhost should it be exposed to the internet in order to make this https appear green, either or?

[gsmith]

thank you, perfect answer, that covered most of my concerns, so if i remove the old CSR as it is -as you said- not used at all, then where is the new one that i have to send to digisign...etc? i can't see other one that has my phrase that i put when created the certificate using the makecert.bat

As I said, makecert.bat deletes it after it has created the server certificate. If you want to keep it, just comment out the line in makecert.bat so it looks like:

rem del server.csr

one last Q please, is there anyway for me to make this localhost internal office server appear green in the title bar, or https without X sign on it, or IE recognize it as safe/verified WITHOUT sending the certificate to one of those digisign versign godaddy..etc and pay for it, or this is essential.

No, you have to create your own CA, the CA key is used for signing your cert. Then you have to import the CA certificate into your browser, if I remember correctly. I have not created my own CA for this purpose in 15 years at least and any notes I may have had on the subject were subsequently destroyed by flood. I'm sure it can be Googled up. [1]

... so don't know if i have absolutely to send this out and pay money for it or i can do this myself somehow!? moreover, maybe because the office server is not exposed to the intenret it is e.g. office1.localhost should it be exposed to the internet in order to make this https appear green, either or?

If you want every browser in the world to accept your certificate, yes, but on any browser you import your CA it should then accept any certificate signed with that certificate. I loathe IE so I try to not understand it's stupidities with the exception of does my site look proper on it. It may have an internal list of TLDs it knows to be supposedly on the internet but even if it did, using the hosts file in windows you could fool it into thinking http://www.doesntexist.com on your local server was a valid online .com website.

[1] EDIT: I found the info, or where I got the info long long ago. Good thing my long term memory is better than the short term memory. It's not easy to follow along, uses different file names all the time and I remember it being extremely confusing. I'll post the steps from start to finish after I compile it all and do a test or two.

[gsmith]

# You can just do this on the command line and skip makecert.
# I use real long (like 256 bit) paswords so I make a password file that
# I can tell OpenSSL to use it so I do not have to type the effin password
# all the time during the process.

# Make a text file and name it passwd.txt, inside it add a single line as so;

pass:some-super-long-winded-complex-password-you-really-do-not-want-to-type-3-times

# These instruction assume you are at a command prompt widows at c:\xampp\apache
# The $ just indicates you want to type in this command and hit enter, do not include the $

# Tell OpenSSL where the openssl.conf file is so type in;

$ set OPENSSL_CONF=./conf/openssl.cnf


## First creat a CA Signing Certificate and key entering info as asked by OpenSSL

$ bin\openssl genrsa -out myCA.key 4096
$ bin\openssl req -new -key myCA.key -out myCA.csr
$ bin\openssl x509 -req -days 3650 -in myCA.csr -signkey myCA.key -out myCA.crt

## The Server Certificate

# Create the server key:
$ bin\openssl genrsa -passout file:passwd.txt -des3 -out server.key 4096

# Create the certificate signing request (csr) from the key:
$ bin\openssl req -passin file:passwd.txt -new -key server.key -out server.csr

# Create a key with the password stripped for Apache:
$ bin\openssl rsa -passin file:passwd.txt -in server.key -out server.pwless.key

# Creat our server certificate, signed with our server key and our CA
$ bin\openssl x509 -req -passin file:passwd.txt -in server.csr -out server.crt -signkey server.key -CA myCA.crt -CAkey myCA.key -CAcreateserial -days 3650

# Make a single directory inside Apache's conf/ directory named "ssl"

$ mkdir .\conf\ssl
$ copy myCA.crt .\conf\ssl\
$ copy server.pwless.key .\conf\ssl\
$ copy server.crt .\conf\ssl\

# You can delete both the .csr files, you will not use them again.
# For new server certificates you will create new ones.

## Apache config:

SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.pwless.key
SSLCACertificateFile conf/ssl/myCA.crt


# Import myCA.crt into browsers you do not want to get nagged while going to your server.
# Each browser has it's own way of doing it so I am not going to get into how for any browser.
# Note that any other certificates signed with your CA will also not receive a nag on these
# same browsers.

# Save a copy of at least myCA.crt & myCA.key for any future use, treat these with care
# and do not leave them lying around. You can save the passwd.txt with a copy of your server
# certificate and both keys(server.key & server.pwless.key). Store in a safe place, delete them if not.

# On my Windows Visturd, the .rnd file lands in c:\.rnd, find the .rnd file wherever it is and delete it.
# On my Windows Visturd, I have to create certificates in a command prompt that is run as administrator.

# Disclaimer: Your mileage may vary and you assume any and all responsibility using these instructions.

[itsme33]

hi gsmith and thanks a lot for your efforts, very beneficial information...

obviously, my need was to sign the certificate so anybody browses the website will appear that https connection is trusted (in green), then this needs to be sent to outside company like digisign, verisign, godaddy...etc. and pay to them, there is no other option and thats it... the way you told me about it is to make the certificate appear ok in the pc's that i can control and add it manually to trusted root to make it appear ok.. but i wanted it to appear green in all people's browsing the site.. so that is not possible obviously...

steps above could be done by makecert.bat which comes with xampp/apache (after adjusting the bat file because it has wrong internal path by default), but the csr is not deleted by default, that is not a problem... as i said before, i wanted to make it appear green in all people browsers so there is no way for doing that other than paying for trusted company to sign it and then add it to apache, so the browser of the people to check its signature and show people that is trusted by so and so...

in short, if there is no way to make it appear green/trusted by default WITHOUT sending to outsider company and pay for it, please tell me yes, in order to understand that this theory is correct, otherwise, say no, you can make it appear green without sending and without paying, even if it is local server without internet connection.. then i will try my best to follow up what you've wrote and google it further... because i failed when tried it a while ago, then found that apache makecert is doing it.. then couldn't convince myself that i can make IE or FF or chrome believe that is trusted (by logic).. simply because all green trusted https we see on the internet are stating that there is a company outside there (mostly verisign) is signing their certificate to be trusted.. i am not familiar with terms like CA and other stuff so i was a lot confused, and still so if the theory is not correct

thanks again amego and sorry for my english is bad

[gsmith]

Yes, there is no way to make it appear green on browsers not under your control without sending it away to a Certificate Authority and getting your server certificate from them.

[itsme33]

appreciated your time and understanding
cheers