User Tools

Site Tools


OpenSSL Certificates

<toc><ul><li><link topicref=“2”>X509v3 Subject Alternative Name</link></li></ul></toc> Instructions to generate a self-signed certificate using OpenSSL for use with Apache mod_ssl, stunnel, etc.

cd /etc/apache2; mkdir ssl.key ssl.csr ssl.crt

Generate your server's private (encrypted) key:

 $ openssl genrsa -des3 -rand file1:file2:...:file5 -out ssl.key/ 2048

- or - If you feel your server is secure, and aren't worried about someone stealing your private key and trying to impersonate you, you can generate your key unencrypted:

 $ openssl genrsa -rand /var/log/syslog -out ssl.key/ 2048

Generate a Certificate Signing Request:

 $ openssl req -new -sha256 -key ssl.key/ -out ssl.csr/

You can view the contents of the CSR:

 $ openssl req -text -in ssl.csr/

You can create your own quick self-signed certificate using:

 $ openssl x509 -req -days 3650 -sha256 -in ssl.csr/ -signkey ssl.key/ -out ssl.crt/

<hr/> If you would like to sign your certificates as an unverified Certificate Authority and you don't already have your own Certificate Authority keys created then:

Run <tt>misc/ -newca</tt> <p>Sign your CSR with your CA keys:</p>

 $ openssl ca -policy policy_anything -out ssl.crt/ -infiles ssl.csr/

If you want Apache to be able to start without asking you for the PEM Pass Phrase - unencrypt the server's private key (if you used the -des3 option in the first steps above):

 $ openssl rsa -in ssl.key/ -out ssl.key/

then move the over the server.key in the Apache directory, and start Apache

If you're going to use and unencrypted private key - you should make sure the file is readable only by root!

 -r-------- root root server.key
$ service apache2 restart


SSL does not support Name Virtual Hosts. You must have a uniqe port and IP address combination for each Certificate you want to use. <p>You can take the CSR from step 2 and send the contents to Verisign for signing, rather than signing the certificate yourself.</p>

X509v3 Subject Alternative Name

To have a certificate signed which is valid for multiple DNS names (to get around the VirtualHost constraint of having a unique IP address and port for each site), you must create a cnf file containing the configuration of AltNames.


distinguished_name = req_distinguished_name
req_extensions = v3_req

countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default =

keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

DNS.1   =
DNS.2   =
DNS.3   =

You can then create the CSR referencing the above file:

openssl req -new -key ssl.key/ -out ssl.csr/ -config ssl.crt/altnames.cnf
opensslcertificates.txt · Last modified: 2020/02/13 22:55 (external edit)

free spam filter