OpenSSL Certificates

<toc><ul><li><link topicref=“2”>X509v3 Subject Alternative Name</link></li></ul></toc> Instructions to generate a self-signed certificate using OpenSSL for use with Apache mod_ssl, stunnel, etc.

cd /etc/apache2; mkdir ssl.key ssl.csr ssl.crt

Generate your server's private (encrypted) key:

 $ openssl genrsa -des3 -rand file1:file2:...:file5 -out ssl.key/www.virtualhost.com-encrypted.key 2048

- or - If you feel your server is secure, and aren't worried about someone stealing your private key and trying to impersonate you, you can generate your key unencrypted:

 $ openssl genrsa -rand /var/log/syslog -out ssl.key/www.virtualhost.com.key 2048

Generate a Certificate Signing Request:

 $ openssl req -new -sha256 -key ssl.key/www.virtualhost.com.key -out ssl.csr/www.virtualhost.com.csr

You can view the contents of the CSR:

 $ openssl req -text -in ssl.csr/www.virtualhost.com.csr

You can create your own quick self-signed certificate using:

 $ openssl x509 -req -days 3650 -sha256 -in ssl.csr/www.virtualhost.com.csr -signkey ssl.key/www.virtualhost.com.key -out ssl.crt/www.virtualhost.com.crt

<hr/> If you would like to sign your certificates as an unverified Certificate Authority and you don't already have your own Certificate Authority keys created then:

Run <tt>misc/CA.pl -newca</tt> <p>Sign your CSR with your CA keys:</p>

 $ openssl ca -policy policy_anything -out ssl.crt/www.virtualhost.com.crt -infiles ssl.csr/www.virtualhost.com.csr

If you want Apache to be able to start without asking you for the PEM Pass Phrase - unencrypt the server's private key (if you used the -des3 option in the first steps above):

 $ openssl rsa -in ssl.key/www.virtualhost.com-encrypted.key -out ssl.key/www.virtualhost.com.key

then move the www.virtualhost.com.key over the server.key in the Apache directory, and start Apache

If you're going to use and unencrypted private key - you should make sure the file is readable only by root!

 -r-------- root root server.key
$ service apache2 restart

Notes:

SSL does not support Name Virtual Hosts. You must have a uniqe port and IP address combination for each Certificate you want to use. <p>You can take the CSR from step 2 and send the contents to Verisign for signing, rather than signing the certificate yourself.</p>

X509v3 Subject Alternative Name

To have a certificate signed which is valid for multiple DNS names (to get around the VirtualHost constraint of having a unique IP address and port for each site), you must create a cnf file containing the configuration of AltNames.

<strong>altnames.cnf</strong>:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Toronto
0.organizationName = Organization Name (eg, company)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = www.domain1.com

[v3_req] 
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.domain2.com
DNS.2   = www.domain3.com
DNS.3   = www.domain4.com

You can then create the CSR referencing the above file:

openssl req -new -key ssl.key/www.domain1.com.key -out ssl.csr/www.domain1.com.csr -config ssl.crt/altnames.cnf