From c700b06fb1d2df2048aff95b73093a9ce280ea8e Mon Sep 17 00:00:00 2001
From: Cliff Woolley <jwoolley@apache.org>
Date: Thu, 16 May 2002 19:05:24 +0000
Subject: [PATCH] The group consensus was that we're no longer supporting "make
 certificate," as test certificates just allow people who don't know what
 they're doing to dig a bigger hole for themselves and don't really help
 anybody who DOES know what they're doing much.  So all of the documentation
 references to "make certificate" are now removed.

PR: 8724


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95139 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                      |  5 +++++
 docs/conf/ssl-std.conf       |  9 ++++-----
 docs/manual/ssl/ssl_faq.html | 39 ++++--------------------------------
 3 files changed, 13 insertions(+), 40 deletions(-)

diff --git a/CHANGES b/CHANGES
index d8194be79e..54edae8cb4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.37
 
+  *) Removed documentation references to the no-longer-supported
+     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
+     certificates, if truly desired, can be generated using openssl
+     commands.  PR 8724.  [Cliff Woolley]
+
   *) Remove SSLLog and SSLLogLevel directives in favor of having
      mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
 
diff --git a/docs/conf/ssl-std.conf b/docs/conf/ssl-std.conf
index 434a471839..90492100c1 100644
--- a/docs/conf/ssl-std.conf
+++ b/docs/conf/ssl-std.conf
@@ -107,11 +107,10 @@ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
 #   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again. A test
-#   certificate can be generated with `make certificate' under
-#   built time. Keep in mind that if you've both a RSA and a DSA
-#   certificate you can configure both in parallel (to also allow
-#   the use of DSA ciphers, etc.)
+#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
 SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt
 #SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
 
diff --git a/docs/manual/ssl/ssl_faq.html b/docs/manual/ssl/ssl_faq.html
index 36d03de9dc..37430c8ef2 100644
--- a/docs/manual/ssl/ssl_faq.html
+++ b/docs/manual/ssl/ssl_faq.html
@@ -87,7 +87,6 @@ author.
 <ul>
 <li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li>
 <li><a href="#ToC26">Difference on startup?</a></li>
-<li><a href="#ToC27">How to create a dummy cert?</a></li>
 <li><a href="#ToC28">How to create a real cert?</a></li>
 <li><a href="#ToC29">How to create my own CA?</a></li>
 <li><a href="#ToC30">How to change a pass phrase?</a></li>
@@ -443,7 +442,6 @@ configuration directive?
     <strong id="faq">
 When I fire up the server, mod_ssl stops with the error
 "Failed to generate temporary 512 bit RSA private key", why?
-And a "PRNG not seeded" error occurs if I try "make certificate".
 </strong>&nbsp;&nbsp;
     [<a href="#entropy"><b>L</b></a>]
     <p>
@@ -456,13 +454,8 @@ And a "PRNG not seeded" error occurs if I try "make certificate".
     encryption. As of version 0.9.5, the OpenSSL functions that need
     randomness report an error if the PRNG has not been seeded with
     at least 128 bits of randomness. So mod_ssl has to provide enough
-    entropy to the PRNG to work correctly. For this one has to use the
-    <code>SSLRandomSeed</code> directives (to solve the run-time problem)
-    and create a <code>$HOME/.rnd</code> file to make sure enough
-    entropy is available also for the "<code>make certificate</code>"
-    step (in case the "<code>make certificate</code>" procedure is not
-    able to gather enough entropy theirself by searching for system
-    files).
+    entropy to the PRNG to work correctly.  For this one has to use the
+    <code>SSLRandomSeed</code> directives.
 </ul>
 <p>
 <br>
@@ -633,30 +626,6 @@ Seems like there is a difference on startup between the original Apache and an S
     below under ``How can I get rid of the pass-phrase dialog at Apache
     startup time?''.
 <p>
-<li><a name="ToC27"></a>
-    <a name="cert-dummy"></a>
-    <strong id="faq">
-How can I create a dummy SSL server Certificate for testing purposes?
-</strong>&nbsp;&nbsp;
-    [<a href="#cert-dummy"><b>L</b></a>]
-    <p>
-    A Certificate does not have to be signed by a public CA. You can use your
-    private key to sign the Certificate which contains your public key. You
-    can install this Certificate into your server, and people using Netscape
-    Navigator (not MSIE) will be able to connect after clicking OK to a
-    warning dialogue. You can get MSIE to work, and your customers can
-    eliminate the dialogue, by installing that Certificate manually into their
-    browsers.
-    <p>
-    Just use the ``<code>make certificate</code>'' command at the top-level
-    directory of the Apache source tree right before installing Apache via
-    ``<code>make install</code>''. This creates a self-signed SSL Certificate
-    which expires after 30 days and isn't encrypted (which means you don't
-    need to enter a pass-phrase at Apache startup time).
-    <p>
-    BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
-    RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
-<p>
 <li><a name="ToC28"></a>
     <a name="cert-real"></a>
     <strong id="faq">
@@ -1097,8 +1066,8 @@ I try to connect to my freshly installed server?
     Either you have messed up your <code>SSLCipherSuite</code>
     directive (compare it with the pre-configured example in
     <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
-    algorithms instead of RSA under "<code>make certificate</code>"
-    and ignored or overseen the warnings. Because if you have choosen
+    algorithms instead of RSA when you generated your private key
+    and ignored or overlooked the warnings.  If you have choosen
     DSA/DH, then your server no longer speaks RSA-based SSL ciphers
     (at least not until you also configure an additional RSA-based
     certificate/key pair). But current browsers like NS or IE only speak
-- 
2.40.0