The group consensus was that we're no longer supporting "make certificate,"

Cliff Woolley · Cliff Woolley · commit c700b06fb1d2 · 2002-05-16T19:05:24.000Z
as test certificates just allow people who don't know what they're doing to dig a bigger hole for themselves and don't really help anybody who DOES know what they're doing much. So all of the documentation references to "make certificate" are now removed. PR: 8724 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95139 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.37
 
+  *) Removed documentation references to the no-longer-supported
+     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
+     certificates, if truly desired, can be generated using openssl
+     commands.  PR 8724.  [Cliff Woolley]
+
   *) Remove SSLLog and SSLLogLevel directives in favor of having
      mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
 
diff --git a/docs/conf/ssl-std.conf b/docs/conf/ssl-std.conf
@@ -107,11 +107,10 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again. A test
-#   certificate can be generated with `make certificate' under
-#   built time. Keep in mind that if you've both a RSA and a DSA
-#   certificate you can configure both in parallel (to also allow
-#   the use of DSA ciphers, etc.)
+#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
 SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt
 #SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
 
diff --git a/docs/manual/ssl/ssl_faq.html b/docs/manual/ssl/ssl_faq.html
@@ -87,7 +87,6 @@ <h1 align="CENTER">SSL/TLS Strong Encryption: FAQ</h1>
 <ul>
 <li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li>
 <li><a href="#ToC26">Difference on startup?</a></li>
-<li><a href="#ToC27">How to create a dummy cert?</a></li>
 <li><a href="#ToC28">How to create a real cert?</a></li>
 <li><a href="#ToC29">How to create my own CA?</a></li>
 <li><a href="#ToC30">How to change a pass phrase?</a></li>
@@ -443,7 +442,6 @@ <h2><a name="ToC8">About Installation</a></h2>
     <strong id="faq">
 When I fire up the server, mod_ssl stops with the error
 "Failed to generate temporary 512 bit RSA private key", why?
-And a "PRNG not seeded" error occurs if I try "make certificate".
 </strong>&nbsp;&nbsp;
     [<a href="#entropy"><b>L</b></a>]
     <p>
@@ -456,13 +454,8 @@ <h2><a name="ToC8">About Installation</a></h2>
     encryption. As of version 0.9.5, the OpenSSL functions that need
     randomness report an error if the PRNG has not been seeded with
     at least 128 bits of randomness. So mod_ssl has to provide enough
-    entropy to the PRNG to work correctly. For this one has to use the
-    <code>SSLRandomSeed</code> directives (to solve the run-time problem)
-    and create a <code>$HOME/.rnd</code> file to make sure enough
-    entropy is available also for the "<code>make certificate</code>"
-    step (in case the "<code>make certificate</code>" procedure is not
-    able to gather enough entropy theirself by searching for system
-    files).
+    entropy to the PRNG to work correctly.  For this one has to use the
+    <code>SSLRandomSeed</code> directives.
 </ul>
 <p>
 <br>
@@ -633,30 +626,6 @@ <h2><a name="ToC24">About Certificates</a></h2>
     below under ``How can I get rid of the pass-phrase dialog at Apache
     startup time?''.
 <p>
-<li><a name="ToC27"></a>
-    <a name="cert-dummy"></a>
-    <strong id="faq">
-How can I create a dummy SSL server Certificate for testing purposes?
-</strong>&nbsp;&nbsp;
-    [<a href="#cert-dummy"><b>L</b></a>]
-    <p>
-    A Certificate does not have to be signed by a public CA. You can use your
-    private key to sign the Certificate which contains your public key. You
-    can install this Certificate into your server, and people using Netscape
-    Navigator (not MSIE) will be able to connect after clicking OK to a
-    warning dialogue. You can get MSIE to work, and your customers can
-    eliminate the dialogue, by installing that Certificate manually into their
-    browsers.
-    <p>
-    Just use the ``<code>make certificate</code>'' command at the top-level
-    directory of the Apache source tree right before installing Apache via
-    ``<code>make install</code>''. This creates a self-signed SSL Certificate
-    which expires after 30 days and isn't encrypted (which means you don't
-    need to enter a pass-phrase at Apache startup time).
-    <p>
-    BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
-    RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
-<p>
 <li><a name="ToC28"></a>
     <a name="cert-real"></a>
     <strong id="faq">
@@ -1097,8 +1066,8 @@ <h2><a name="ToC40">About SSL Protocol</a></h2>
     Either you have messed up your <code>SSLCipherSuite</code>
     directive (compare it with the pre-configured example in
     <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
-    algorithms instead of RSA under "<code>make certificate</code>"
-    and ignored or overseen the warnings. Because if you have choosen
+    algorithms instead of RSA when you generated your private key
+    and ignored or overlooked the warnings.  If you have choosen
     DSA/DH, then your server no longer speaks RSA-based SSL ciphers
     (at least not until you also configure an additional RSA-based
     certificate/key pair). But current browsers like NS or IE only speak
