Generating the Certificates

Before you start Apache, you need to generate the server’s private key. You can use the following command:

[root@merc root]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
.++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ******
Verifying - Enter pass phrase for server.key: ******
[root@merc root]#

You then need to create a Certificate Signing Request (CSR), using your server’s private key:

[root@merc root]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
[...]
-------
Country Name (2 letter code) [GB]: AU
State or Province Name (full name) [Berkshire]: WA
Locality Name (eg, city) [Newbury]: Fremantle
Organization Name (eg, company) [My Company Ltd]: Mobily.com
Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: www.mobily.com
Email Address []: my_address@mobily.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@merc root]#

You should send the generated file, server.csr, to a Certificate Authority (CA). After verifying your details, they will reply with a proper certificate (the file would be probably called server.crt).

If you want to test your server, you will need to create your own CA first:

[root@merc root]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: ******
Verifying - Enter pass phrase for ca.key: ******

You now need to create a self-signed CA certificate:

[root@merc root]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key: ******
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
------
Country Name (2 letter code) [GB]: AU
State or Province Name (full name) [Berkshire]: Test
Locality Name (eg, city) [Newbury]: Test
Organization Name (eg, company) [My Company Ltd]: Test
Organizational Unit Name (eg, section) []: Test
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@merc root]#

You should now use the script sign.sh to sign your server.csr file with your newly created certifying authority:

[root@merc root]# apache_source/mod_ssl-2.8.14-1.3.29/pkg.contrib/sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows countryName         :PRINTABLE:'AU'
stateOrProvinceName :PRINTABLE:'WA'
localityName        :PRINTABLE:'Fremantle'
organizationName    :PRINTABLE:'Mobily.com'
commonName          :PRINTABLE:'www.mobily.com'
emailAddress        :IA5STRING:'merc@mobily.com'
Certificate is to be certified until Aug 17 04:42:23 2004 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

You now have the files server.crt (your certificate) and server.key (your server’s private key). 

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.