Generating Your Own Security Certificates For Use With Apache/HTTPS - Request, Sign and Install the Certificate

(Page 5 of 7 )

Generate an encryption key for use by Apache.

# /usr/local/ssl/bin/openssl genrsa \ > -out /usr/local/apache/conf/ssl.key/server.key Generating RSA private key, 1024 bit long modulus ..........++++++ ......................++++++ e is 65537 (0x10001)

Apache will need an encryption key, which can be generated by using OpenSSL.

You may also encrypt the key buy including the -DES3 parameter, but keep in mind Apache will then first need to decrypt the key before it can start SSL mode and will prompt for a password. This may hinder remote administration in some circumstance.

Make a certificate request to the CA.

# cd /usr/local/ssl/CA # ../bin/openssl req -new \ > -key /usr/local/apache/conf/ssl.key/server.key \ > -out /usr/local/apache/conf/ssl.csr/server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank.  For some fields there will be a default value.  If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State/Province Name (full name) [Some-State]: New York Locality Name (eg, city) []: Syracuse Organization Name (eg, company) []: Timothy Boronczyk OrganizationalUnitName (eg, section) []: . Common Name (eg, YOUR name) []: www.example.com Email Address []: mail@example.com Please enter the following 'extra' attributes to be sent with your certificate request. A challenge password []: . An optional company name []: .

When requesting a certificate from the CA, the common name field should be the fully qualified domain name of the web server.

Sign and install the certificate request with the CA.

# ../bin/openssl ca \ > -in /usr/local/apache/conf/ssl.csr/server.csr \ > -out /usr/local/apache/conf/ssl.crt/server.crt Using configuration from /usr/local/ssl/ssl/openssl.cnf Enter pass phrase for /usr/local/ssl/CA/private/CA.key: ***** Check that the request matches the signature Signature ok Certificate Details:   Serial Number: 100 (0x64)   Validity     Not Before: Jun 25 20:37:39 2004 GMT     Not After : Dec 25 20:37:39 2004 GMT   Subject:     countryName         = US     stateOrProvinceName = New York     localityName        = Syracuse     organizationName    = Timothy Boronczyk     commonName          = www.example.org     emailAddress        = mail@example.com   x509v3 extensions:     x509v3 Basic Constraints:       CA:FALSE     Netscape Comment:       OpenSSL Generated Certificate     x509v3 Subject Key Identifier:       23:7B:59:C2:D6:51:A5:5C:14:44:52:75:F1:D7:8C:03     x509v3 Authority Key Identifier:       keyid:49:FF:26:2C:59:57:18:D2:98:00:F5:D2:2D:B9       DirName:/C=US/ST=New York/L=Syracuse/CN=Timothy Boronczk/emailAddress=mail@example.com       serial:00 Certificate is to be certified until Dec 25 20:37:39 2004 GMT (183 days). Sign the certificate? [y/n]: y 1 out of 1 certificate requests certified, commit? [y/n]: y Write out database with 1 new entries Data Base Updated

The certificate request must be signed by the CA for it to be valid. Enter the password for the CA's encrypted key, sign the certificate and commit the request.

Next: Configure Apache >>
 

More Server Administration Articles
More By bluephoenix

Comments On: Generating Your Own Security Certificates For Use With Apache/HTTPS

· Are we missing somthing? Looks like the tutorial and PDF are truncated at step...    ·     · I contacted Matt... all fixed! Thanks!-Tim    · Hi,I already do like your manual here but i have problem on final step...    · Volume,I've had that message once before on an internal machine I've set up for...   >>> Post your comment now!