Generate server private key
The first task is to create a server private key. In this example, a key of 1024 bits is created and the passphrase is encrypted using tripple DES:
openssl genrsa -des3 -out server.key 1024 |
To create a key without a passphrase (so there is no need to enter a passphrase when the Apache server starts for example):
openssl genrsa -out server.key 1024 |
or to remove a passphrase in an already existent file:
openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key |
Generate certificate signed request (CSR)
The CSR is the file required by the certificate issuer to sign and issue a certificate and is generated as follows:
openssl req -new -key server.key -out server.csr |
This requires certain bits of data to be entered:
Country Name (2 letter code) [AU]: GB State or Province Name (full name) [Some-State]: Yorks Locality Name (eg, city) []: York Organization Name (eg, company) [Internet Widgits Pty Ltd]: BSDnexus Organizational Unit Name (eg, section) []: IT Common Name (eg, YOUR name) []: www.bsdnexus.com Email Address []: |
The completed file server.csr is ascii based and can be submitted to the CA in a variety of forms who will then issue the server.crt file
Self signed certificate
If the website is a private one, it is possible to self-sign a certificate, however, this leads to browsers complaining until an exception is applied. Currently, the following pages are displayed by two well known browsers:
Firefox and SSL cert issue
IE and SSL cert issue
SHould you still wish to sign your own CSR to generate the server.crt file, the following command can be used:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
Install certificates
The files can be stored anywhere on the system, however, under /etc/ssl seems customary. Ensure the files are only readable by root. If a CA has signed your CSR they will provide two files (names may be slightly different) "server.crt" and "server.ca-bundle". If you have self-signed, merely omit the reference to the .ca-bundle file.
For apache a virtual host entry could look as follows (notice the references to the files):
<VirtualHost _default_:443>
ServerAdmin webmaster@bsdnexus.com
DocumentRoot /usr/local/apache/share/htdocs
ServerName www.bsdnexus.com
SSLEngine on
SSLCertificateKeyFile /etc/ssl/bsdnexus/server.key
SSLCertificateFile /etc/ssl/bsdnexus/server.crt
SSLCertificateChainFile /etc/ssl/bsdnexus/server.ca-bundle
</VirtualHost> |