Skip to content

Fix broken commands, complete the client-cert steps, modernize openssl usage#1

Open
shehio wants to merge 3 commits into
masterfrom
claude/improvements
Open

Fix broken commands, complete the client-cert steps, modernize openssl usage#1
shehio wants to merge 3 commits into
masterfrom
claude/improvements

Conversation

@shehio

@shehio shehio commented Jul 6, 2026

Copy link
Copy Markdown
Owner

This tutorial's commands had several issues that would trip up anyone following along verbatim. All changes preserve the tutorial's approach and structure; the full openssl sequence was re-run end-to-end against OpenSSL 3.6 to confirm it works.

Copy-paste correctness

  • Replaced 140 invisible Unicode spaces (U+00A0 and U+202F) with regular spaces — several sat inside code blocks (e.g. the keytool -import line), silently breaking commands when pasted.
  • Fixed en dashes used as option flags (ssh –issh -i, –pubout-pubout).
  • Fixed the /etc/apahce2 typo in the ln -s command, which would create a broken symlink and quietly fail to enable the SSL site.
  • Added missing spaces between Apache directives and their values (SSLCertificateFile/home/... is a config syntax error) and in a run-together ls output.

Technical accuracy of the openssl steps

  • Added the missing client certificate signing step: the tutorial created client.req, then referenced client.crt without ever showing how to produce it. Used a distinct serial (0x3E9) since two certs issued by one CA must not share a serial.
  • Sign with -sha256 explicitly: openssl of the tutorial's era defaulted to SHA-1, which browsers reject — the README itself hit this with Chrome. Explicit -sha256 keeps the tutorial working on old and new openssl alike.
  • Dropped -extensions server from the signing command: without -extfile it does nothing (current openssl warns ignoring -extensions option without -extfile).
  • client.p12 now actually contains the CA (-certfile CA.crt), matching the text's own description of the file.
  • Added a note that modern browsers require a subjectAltName (CN alone is ignored), with the -addext one-liner for openssl ≥ 1.1.1.
  • Corrected the PEM/DER note: base64 is an encoding, not encryption.

Links and hygiene

  • Fixed the 404 openssl req man-page link and the Ubuntu serverguide link that now redirects to a generic landing page; replaced the MSDN redirect with the clean learn.microsoft.com URL; upgraded remaining http:// references to https://.
  • Promoted the dangling Index: line to a proper heading; fixed two small grammar slips.

No keys or certificates are committed to this repo (README-only tutorial), so nothing to flag there.

🤖 Generated with Claude Code

https://claude.ai/code/session_014qGzgE6vMaqymzipNFYTDT

shehio and others added 3 commits July 5, 2026 16:08
- Replace all 123 non-breaking spaces (U+00A0) with regular spaces;
  several sat inside code blocks and broke commands when pasted
- Fix en dashes used as option flags (ssh -i, -pubout)
- Fix /etc/apahce2 typo in the symlink command (would create a
  broken link and silently fail to enable the SSL site)
- Add missing spaces between Apache directives and their paths
  (SSLCertificateFile/... is a syntax error in apache2.conf)
- Fix run-together filenames in a sample ls output

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Add the missing client certificate signing step: the tutorial
  created client.req and then referenced client.crt without ever
  showing how to sign it. Use a distinct serial (0x3E9) since two
  certificates from the same CA must not share one.
- Sign explicitly with -sha256: openssl versions of the tutorial's
  era defaulted to SHA-1, which browsers reject (the README itself
  ran into this with Chrome).
- Drop -extensions server from the server signing command: without
  -extfile it is ignored (current openssl warns "ignoring
  -extensions option without -extfile").
- Include the CA in the client.p12 via -certfile, matching the
  text's description of the file's contents.
- Add a note that modern browsers require subjectAltName (CN is
  ignored), with the -addext one-liner for openssl >= 1.1.1.
- Correct the PEM/DER note: base64 is an encoding, not encryption.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- openssl req man page moved: old apps/req.html URL now 404s,
  point to docs.openssl.org/master/man1/openssl-req/
- Ubuntu serverguide certificates page now redirects to a generic
  landing page; point to its successor on documentation.ubuntu.com
- MSDN link redirects with tracking params; use the clean
  learn.microsoft.com URL
- Upgrade remaining http:// references to https://
- Promote "Index:" to a proper markdown heading
- Replace 17 narrow no-break spaces (U+202F) in the Index section
  with regular spaces; fix two small grammar slips

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant