.oO  |  List directory  |  History  |  Similar  |  Print version
Current user: guest | Change | Preferences
Home 
Main 
   Databases 
   qmail 
   Old Braindump Pages 
Linux 
FreeBSD 

Main > OpenSSL Certificates
 
rw-rw-r--   ian   linux

OpenSSL Certificates

Instructions to generate a self-signed certificate using OpenSSL for use with Apache mod_ssl, stunnel, etc.

cd /usr/local/apache2/conf; mkdir ssl.key ssl.csr ssl.crt

Generate your server's private (encrypted) key:

 $ openssl genrsa -des3 -rand file1:file2:...:file5 -out ssl.key/www.virtualhost.com-encrypted.key 2048

- or - If you feel your server is secure, and aren't worried about someone stealing your private key and trying to impersonate you, you can generate your key unencrypted:

 $ openssl genrsa -rand file1:file2:...:file5 -out ssl.key/www.virtualhost.com.key 2048

Generate a Certificate Signing Request:

 $ openssl req -new -key ssl.key/www.virtualhost.com.key -out ssl.csr/www.virtualhost.com.csr

You can view the contents of the CSR:

 $ openssl req -noout -text -in ssl.csr/www.virtualhost.com.csr

You can create your own quick self-signed certificate using:

 $ openssl x509 -req -days 3650 -in ssl.csr/www.virtualhost.com.csr -signkey ssl.key/www.virtualhost.com.key -out ssl.crt/www.virtualhost.com.crt

If you would like to sign your certificates as an unverified Certificate Authority and you don't already have your own Certificate Authority keys created then:

Run misc/CA.pl -newca

Sign your CSR with your CA keys:

 $ openssl ca -policy policy_anything -out ssl.crt/www.virtualhost.com.crt -infiles ssl.csr/www.virtualhost.com.csr

If you want Apache to be able to start without asking you for the PEM Pass Phrase - unencrypt the server's private key (if you used the -des3 option in the first steps above):

 $ openssl rsa -in ssl.key/www.virtualhost.com-encrypted.key -out ssl.key/www.virtualhost.com.key

then move the www.virtualhost.com.key over the server.key in the Apache directory, and start Apache

If you're going to use and unencrypted private key - you should make sure the file is readable only by root!

 -r-------- root root server.key
$ /usr/local/apache/bin/apachectl startssl

Notes:

SSL does not support Name Virtual Hosts. You must have a uniqe port and IP address combination for each Certificate you want to use.

You can take the CSR from step 2 and send the contents to Verisign for signing, rather than signing the certificate yourself.

Reference http://braindump.mrzesty.net/Main/OpenSSLCertificates

Comments: 0 New comment

Prev. coWiki installation   Old Braindump Pages Next

Home | Main | Linux | FreeBSD

coWiki 0.3.4 (Boron) /