Paul,

 

This is what I used.

 

To test with a self signed x.509 cert:

openssl req -x509 -newkey rsa:2048 -keyout allugi.pem -out allugi.pem -days 365 -nodes

 

When done testing, then for the real deal:

Make a CSR

openssl req -newkey rsa:2048 -out allugicsr.pem -keyout privkey.pem

then, remove the passphrase from your private key file

openssl rsa -in private.key -out privatekey.pem

 

then combine them all into one final cert file:

 

cat privatekey.pem wildcardcert.crt intermediatecert.pem rootcacert.pem > finalcert.pem

 

 

I got https working in 15 minutes using the method above, which I got from here:

 

 

 

Cheers,

John

 

 

>>> On 1/19/2010 at 10:44 am, in message <MailBoxer.1392.1263915871.53.pound@apsis.ch>, "Paul Farrar" <paul.farrar@stepstone.com> wrote:

Hi Dave

Thanks for replying.

I have actually made some good progress since I posted my mail.

You are correct; I do not have the luxury of doing it the sensible way. The whole point of this is the first time we moved just 2 servers despite giving our clients loads of warnings and information about the change and the move, when push came to shove they failed. The next day the help desk was flooded with calls like "the web server is down" etc..... This time we are moving 6 servers 1

Some clients made the changes OK and worked happily, most did not. In an effort to give them more time for the respective IT department (quite a few are 3rd party support so no internal IT know-how) we have gone down this route.

I now have my linux box listening on several internal IP addresses and passing the HTTP requests to a windows IIS server in the new data centre on a number of external IP addresses each with a holding page to mimic the respective web sites.

I am in truth a bit chuffed that I sorted that bit.

I am now trying to get the certificate bit sorted so I can do HTTPS. Any tips on this would be great. I have worked out I will have to convert the windows cert to a linux one (using pkcs12 ?) and I am just playing with that.

Many thanks again


Paul Farrar
Operations Engineer
Tel:       +44 (0) 1582816483
Mobile:  +44 (0) 7841167934
Email:   paul.farrar@stepstone.com
http://www.stepstone.com
StepStone Solutions (UK) Limited
475 The Boulevard
Capability Green
Luton
LU1 3LU
England
Registered in England and Wales


-----Original Message-----
From: Dave Steinberg [mailto:dave@redterror.net]
Sent: Tuesday 19 January 2010 15:23
To: pound@apsis.ch
Subject: Re: [Pound Mailing List] Help Please

> 1                     Can pound fill this need ?

Yup!

> 2                     Is it a huge task to attempt for a relative noobe

Nope.  This is a pretty straightforward setup.  Normally I don't advise
people doing things above their pay grade especially if the consequences
are that your customers sites are busted and they are going to get
pissed, but it sounds like you don't really have that freedom.

> 3                     Can anybody suggest an approach to take.

Sounds like you've got an outline of how to do it already.  Personally I
would put your pound server in the new datacenter, test it, and then
update your client's DNS to point to the pound server ahead of the
larger move.

But that's just me.  You could set it up in the old datacenter and
handle the IP-level migration later on when you're better established in
the new datacenter.  No real difference at the end of the day.

Good luck!

Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.