Generate server private key
The first task is to create a server private key. In this example, a key of 1024 bits is created and the passphrase is encrypted using tripple DES:
openssl genrsa -des3 -out server.key 1024 |
To create a key without a passphrase (so there is no need to enter a passphrase when the Apache server starts for example):
openssl genrsa -out server.key 1024 |
or to remove a passphrase in an already existent file:
openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key |
Generate certificate signed request (CSR)
The CSR is the file required by the certificate issuer to sign and issue a certificate and is generated as follows:
openssl req -new -key server.key -out server.csr |
This requires certain bits of data to be entered:
Country Name (2 letter code) [AU]: GB State or Province Name (full name) [Some-State]: Yorks Locality Name (eg, city) []: York Organization Name (eg, company) [Internet Widgits Pty Ltd]: BSDnexus Organizational Unit Name (eg, section) []: IT Common Name (eg, YOUR name) []: www.bsdnexus.com Email Address []: |
The completed file server.csr is ascii based and can be submitted to the CA in a variety of forms who will then issue the server.crt file
Self signed certificate
If the website is a private one, it is possible to self-sign a certificate, however, this leads to browsers complaining until an exception is applied. Currently, the following pages are displayed by two well known browsers:
Clik here to view.
Firefox and SSL cert issue
Clik here to view.
IE and SSL cert issue
SHould you still wish to sign your own CSR to generate the server.crt file, the following command can be used:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt |
Install certificates
The files can be stored anywhere on the system, however, under /etc/ssl seems customary. Ensure the files are only readable by root. If a CA has signed your CSR they will provide two files (names may be slightly different) "server.crt" and "server.ca-bundle". If you have self-signed, merely omit the reference to the .ca-bundle file.
For apache a virtual host entry could look as follows (notice the references to the files):
<VirtualHost _default_:443>
ServerAdmin webmaster@bsdnexus.com
DocumentRoot /usr/local/apache/share/htdocs
ServerName www.bsdnexus.com
SSLEngine on
SSLCertificateKeyFile /etc/ssl/bsdnexus/server.key
SSLCertificateFile /etc/ssl/bsdnexus/server.crt
SSLCertificateChainFile /etc/ssl/bsdnexus/server.ca-bundle
</VirtualHost> |