Ruby Forum NGINX > Re: Multiple ssl certs for the same IP?

Re: Multiple ssl certs for the same IP?
Posted by Rt Ibmer (Guest)
on 05.05.2008 03:35
(Received via mailing list) 
On a related note, I'm going to create a self-signed key so I can test 
https support with nginx and my deployment.  I read somewhere that care 
should be taken when deciding to assign a passphrase, because some 
applications may require you to enter the passphrase upon 
initialization.  Would that be the case with nginx?

Also I'm a bit confused about the key gen process (having never done 
this before under Linux). I've found the various openssl commands to 
generate the key, but its unclear as to which openssl command generates 
the file that should be used for ssl_certificate, and which command 
should be used to generate the file for ssl_certificate_key.

For instance I found this for generating a self-signed key for testing:

   openssl req -new -x509 -nodes -out server.crt -keyout server.key

That looks easy enough.  The server.crt goes to the ssl_certificate and 
server.key goes to ssl_certificate_key.

But it gets a bit confusing when I look 's instructions for creating 
keys to be signed by a real certificate authority. This is what I've 
pieced together:

  openssl genrsa -out /whatever/domain-name.com.key 1024
  openssl req -new -key /whatever/domain-name.com.key -out 
/whatever/domain-name.com.key.csr

So in that case I would use domain-name.com.key.csr for the 
ssl_certificate, and I'd use the file I get back from the certificate 
authority as the value for ssl_certificate_key?  Do I have this right? 
Thanks!



      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now. 
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Reply with quote
Re: Multiple ssl certs for the same IP?
Posted by Igor Sysoev (Guest)
on 05.05.2008 07:28
(Received via mailing list) 
On Sun, May 04, 2008 at 06:26:14PM -0700, Rt Ibmer wrote:

> On a related note, I'm going to create a self-signed key so I can test https support with nginx and my deployment.  I read somewhere that care should be taken when deciding to assign a passphrase, because some applications may require you to enter the passphrase upon initialization.  Would that be the case with nginx?

With nginx you have two choices:
1) do not use passphrase at all,
2) enter it manually upon initialization.
nginx does not support automated procedure to enter passphrase upon
initialization, because from security point of view it's almost the same 
as
no passphrase at all.

>   openssl genrsa -out /whatever/domain-name.com.key 1024
>   openssl req -new -key /whatever/domain-name.com.key -out /whatever/domain-name.com.key.csr
> 
> So in that case I would use domain-name.com.key.csr for the ssl_certificate, and I'd use the file I get back from the certificate authority as the value for ssl_certificate_key?  Do I have this right? Thanks!

No, you should use your domain-name.com.key in ssl_certificate_key.
Also you should send domain-name.com.key.csr to authority and use the 
returned
signed certificate in ssl_certificate.
Reply with quote
Powered by RForum and Captchator. Contact information - E-Mail: webmaster (at) ruby-forum (dot) com.