The Soothingly Seamless Setup of Virtual Hosts and Certificates - Creating Certificates (
Page 3 of 4 )
Here is a
step-by-step description on how to create certificates.
Create a RSA private
key for your Apache server (will be Triple-DES encrypted and PEM formatted):
# openssl genrsa -des3 -out server.key
1024
Please backup the new server.key file at a secure location.
Remember the pass-phrase you entered! You can see the details of this RSA
private key via the command:
# openssl rsa -noout -text -in
server.key
And you could create a decrypted PEM version (not recommended) of
this RSA private key via:
# openssl rsa -in server.key -out
server.key.unsecure
Create a Certificate Signing Request (CSR) with the server RSA
private key (output will be PEM formatted):
# openssl req -new -key server.key -out
server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
server when OpenSSL prompts you for the "CommonName", i.e. when you generate a
CSR for a web site which will be later accessed via https://www.foo.dom/, enter
"www.foo.dom" here. You can see the details of this CSR via the command:
# openssl req -noout -text -in
server.csr
Here you have 2 options:
- Send it off to a CA You can let the CSR sign by a commercial CA like
Verisign or Thawte. Then you usually have to post the CSR into a web form, pay
for the signing and await the signed Certificate you then can store into a
server.crt file. For more information about commercial CAs have a look at the
following sites:
- Be Your own CA You can also use your own CA and sign the CSR yourself
by this CA. You can create your own Certificate Authority for signing
certificates. The short answer is to use the CA.sh or CA.pl script provided by
OpenSSL. The long and manual answer is this: Create a RSA private key for your
CA (will be Triple-DES encrypted and PEM formatted):
# openssl genrsa -des3 -out ca.key
1024
Please backup this ca.key file at a secure location. Ramember the
pass-phrase you entered . You can see the details of this RSA private key via
the command:
# openssl rsa -noout -text -in
ca.key
And you can create a decrypted PEM version (not recommended) of
this private key via:
# openssl rsa -in ca.key -out
ca.key.unsecure
Create a self-signed CA Certificate (X509 structure) with the RSA
key of the CA (output will be PEM formatted):
# openssl req -new -x509 -days 365 -key
ca.key -out ca.crt
You can see the details of this Certificate via the command:
# openssl x509 -noout -text -in
ca.crt
Prepare a script for signing which is needed because the ``openssl
ca'' command has some strange requirements and the default OpenSSL config
doesn't allow one easily to use ``openssl ca'' directly. So a script named
sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use
this script for signing.
Now you can use this CA to sign server CSR's in
order to create real SSL Certificates for use inside an Apache web server
(assuming you already have a server.csr at hand):
# ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
Now you have two files: server.key and server.crt. Use them as following
inside your Apache's httpd.conf file:
- SSLCertificateFile /path/to/this/server.crt
- SSLCertificateKeyFile /path/to/this/server.key
The server.csr file
is no longer needed. See the instructions above to see a better
example.
