Generating Your Own Security Certificates For Use With Apache/HTTPS - Install OpenSSL

(Page 3 of 7 )

Compile and install the OpenSSL toolkit.

# cd openssl-0.9.7d # ./config --prefix=/usr/local/ssl # make && make install

The OpenSSL toolkit implements the Secure Socket Layer and Transport Layer Security protocols and general-purpose cryptographic libraries. The Makefile's prefix parameter sets the installation directory to /usr/local/ssl. Other configuration parameters may be passed if desired.

Configure OpenSSL.

# vi /usr/local/ssl/ssl/openssl.cnf dir             =   /usr/local/ssl/CA certs           =   $dir/certs crl_dir         =   $dir/crl database        =   $dir/index.txt new_certs_dir   =   $dir/newcerts certificate     =  $dir/private/CA.crt serial          =  $dir/serial crl             =  $dir/CA.crl private_key     =  $dir/private/CA.key RANDFILE        =  $dir/private/.rand default_days    =  183 preserve        =  yes policy          =  policy_anything

OpenSSL's configuration file is openssl.cnf. The default configuration provides a good starting point; setting the options illustrated above will help provide an adequate configuration.

Prepare the Certificate Authority (CA) directory.

# mkdir -p /usr/local/ssl/CA/{private,newcerts} # cd /usr/local/ssl/CA # chmod 700 private # touch index.txt # echo "64" > serial

A Certificate Authority will be needed to digitally sign and generate valid SSL certificates and it's activities will take place within the directory specified by the configuration file.

The index.txt file keeps track of the certificates issued by the CA. The value stored in the serial file is a hexadecimal number that will be issued as the next certificate's serial number (the hex value 64 is equal to decimal value 100).

Generate a signing key for use by the CA.

# ../bin/openssl genrsa -des3 -out private/CA.key Generating RSA private key, 1024 bit long modulus .........++++++ .....++++++ e is 65537 (0x10001) Enter pass phrase for private/CA.key: ***** Verifying - Enter pass phrase for private/CA.key: *****

A 1024-bit long DES3 encrypted key is generated. It is important to keep the private key and password safe as it will be used to sign all future certificates. If the key is compromised, the integrity of the CA is compromised.

Generate a self-signed root certificate granting the CA its authority.

# ../bin/openssl req -new -x509 -days 999 \ > -key private/CA.key -out private/CA.crt Enter pass phrase for private/CA.key: ***** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank.  For some fields there will be a default value.  If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State/Province Name (full name) [Some-State]: New York Locality Name (eg, city) []: Syracuse Organization Name (eg, company) []: . OrganizationalUnitName (eg, section) []: . Common Name (eg, YOUR name) []: Timothy Boronczyk Email Address []: mail@example.com

OpenSSL is used to request and sign a new x509 certificate with the previously generated key. This grants the CA the ability to sign future certificate requests.

Next: Install Apache >>
 

More Server Administration Articles
More By bluephoenix

Comments On: Generating Your Own Security Certificates For Use With Apache/HTTPS

· Are we missing somthing? Looks like the tutorial and PDF are truncated at step...    ·     · I contacted Matt... all fixed! Thanks!-Tim    · Hi,I already do like your manual here but i have problem on final step...    · Volume,I've had that message once before on an internal machine I've set up for...   >>> Post your comment now!