OpenSSL Signed Certificate

 Go Back
Braindump Index
Braindump Home
Instructions to generate a self-signed certificate using OpenSSL for use with Apache mod_ssl.
  1. cd /usr/local/apache2/conf; mkdir ssl.key ssl.csr ssl.crt

  2. Generate your server's private (encrypted) key:
    $ openssl genrsa -des3 -rand file1:file2:...:file5 -out ssl.key/www.virtualhost.com-encrypted.key 1024
    - or - If you feel your server is secure, and aren't worried about someone stealing your private key and trying to impersonate you, you can generate your key unencrypted:
    $ openssl genrsa -rand file1:file2:...:file5 -out ssl.key/www.virtualhost.com.key 1024

  3. Generate a Certificate Signing Request:
    $ openssl req -new -key ssl.key/www.virtualhost.com.key -out ssl.csr/www.virtualhost.com.csr

    You can view the contents of the CSR:
    $ openssl req -noout -text -in ssl.csr/www.virtualhost.com.csr

  4. You can create your own quick self-signed certificate using:
    $ openssl x509 -req -days 1461 -in ssl.csr/www.virtualhost.com.csr -signkey ssl.key/www.virtualhost.com.key -out ssl.crt/www.virtualhost.com.crt

  5. If you would like to sign your certificates as an unverified Certificate Authority and you don't already have your own Certificate Authority keys created then:
    1. Run misc/CA.pl -newca

  6. Sign your CSR with your CA keys:
    $ openssl ca -policy policy_anything -out ssl.crt/www.virtualhost.com.crt -infiles ssl.csr/www.virtualhost.com.csr

    If you want Apache to be able to start without asking you for the PEM Pass Phrase - unencrypt the server's private key (if you used the -des3 option in the first steps above):
    $ openssl rsa -in ssl.key/www.virtualhost.com-encrypted.key -out ssl.key/www.virtualhost.com.key
    then move the www.virtualhost.com.key over the server.key in the Apache directory, and start Apache

    If you're going to use and unencrypted private key - you should make sure the file is readable only by root!
    -r-------- root root server.key
    $ /usr/local/apache/bin/apachectl startssl

Notes:
  • SSL does not support Name Virtual Hosts. You must have a uniqe port and IP address combination for each Certificate you want to use.
  • You can take the CSR from step 2 and send the contents to Verisign for signing, rather than signing the certificate yourself.


Last modified: Wednesday, December 31 1969 @ 19:00 EST
Google
WWW braindump.MrZesty.net
© Ian Samuel, 2012
http://braindump.MrZesty.net