Generating Your Own Security Certificates For Use With Apache/HTTPS - Install OpenSSL
(Page 3 of 7 )
Compile and install the OpenSSL toolkit.
# cd openssl-0.9.7d # ./config --prefix=/usr/local/ssl # make && make install
The OpenSSL toolkit implements the Secure Socket Layer and Transport Layer Security protocols and general-purpose cryptographic libraries. The Makefile's prefix parameter sets the installation directory to /usr/local/ssl. Other configuration parameters may be passed if desired.
OpenSSL's configuration file is openssl.cnf. The default configuration provides a good starting point; setting the options illustrated above will help provide an adequate configuration.
Prepare the Certificate Authority (CA) directory.
# mkdir -p /usr/local/ssl/CA/{private,newcerts} # cd /usr/local/ssl/CA # chmod 700 private # touch index.txt # echo "64" > serial
A Certificate Authority will be needed to digitally sign and generate valid SSL certificates and it's activities will take place within the directory specified by the configuration file.
The index.txt file keeps track of the certificates issued by the CA. The value stored in the serial file is a hexadecimal number that will be issued as the next certificate's serial number (the hex value 64 is equal to decimal value 100).
Generate a signing key for use by the CA.
# ../bin/openssl genrsa -des3 -out private/CA.key
Generating RSA private key, 1024 bit long modulus .........++++++ .....++++++ e is 65537 (0x10001) Enter pass phrase for private/CA.key: ***** Verifying - Enter pass phrase for private/CA.key: *****
A 1024-bit long DES3 encrypted key is generated. It is important to keep the private key and password safe as it will be used to sign all future certificates. If the key is compromised, the integrity of the CA is compromised.
Generate a self-signed root certificate granting the CA its authority.
Enter pass phrase for private/CA.key: ***** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State/Province Name (full name) [Some-State]: New York Locality Name (eg, city) []: Syracuse Organization Name (eg, company) []: . OrganizationalUnitName (eg, section) []: . Common Name (eg, YOUR name) []: Timothy Boronczyk Email Address []: mail@example.com
OpenSSL is used to request and sign a new x509 certificate with the previously generated key. This grants the CA the ability to sign future certificate requests.
