SSL Key Creation in
Apache
[ with comments ] [ just the facts ] [ script that does the following ]
Create a Private Key (This
is the CA)
[ Top ]
Encrypted Private Key
You can generate encrypted
keys (require passphrase to activate) with the following
openssl genrsa -des3 1024 > jamesmcd.dns2go.com.key
or
openssl genrsa -des3
-out jamesmcd.dns2go.com.key 1024
Caution: The above
keys will ask for a passphrase when starting mod_ssl so actually you are better
off with an unencrypted private key. Just remember it needs to be secured
well.
Un-encrypted Private Key
openssl genrsa
1024 > jamesmcd.dns2go.com.key
Create a certificate
signing request
OK that takes care of
your CA root cert now we need to make certificate signing request and then
sign it ourselves... :)
openssl req -new -key jamesmcd.dns2go.com.key -out jamesmcd.dns2go.com.csr
Note: The wizard
that runs when you do the above command asks a heap of questions when it asks
for "Common Name (eg, YOUR
name)" make sure you put
your www.mysite.com address and NOT your name.
Generate the Server
Certificate
Now you have a client
signing request its time to generate the certificate file
openssl req -x509 -key jamesmcd.dns2go.com.key -in jamesmcd.dns2go.com.csr
-out \
jamesmcd.dns2go.com.crt
Install the Keys
To install the keys
you simply copy them to the apache conf/ssl directory and then set the permissions
so it's root read only.
You may have to create the ssl directory first
cp jamesmcd.dns2go.com.key jamesmcd.dns2go.com.crt /usr/local/apache/conf/ssl/
chmod 400 /usr/local/apache/conf/ssl/jamesmcd.dns2go.com.*
Edit the SSL configuration
Edit your ssl settings
to point to the new certs here is an extract from my ssl configuration in
apache 2 it's in a file called ssl.conf and in apache 1.3 it's in httpd.conf
#
Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.
If
# the certificate is encrypted, then you will be prompted for
a
# pass phrase. Note that a kill -HUP will prompt again.
A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
SSLCertificateFile /usr/local/apache/conf/jamesmcd.dns2go.com.crt
#SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that
if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache/conf/jamesmcd.dns2go.com.key
#SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key
For the impatient
- just the facts
[ Top ]
- cd ~/
- mkdir certmake
- cd certmake
- export PATH=$PATH:/usr/local/openssl/bin
- openssl genrsa 1024
> jamesmcd.dns2go.com.key
- openssl req -new -key
jamesmcd.dns2go.com.key -out jamesmcd.dns2go.com.csr
Output from step six - stuff in bold is user input:
Using configuration from /usr/local/openssl/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:New South Wales
Locality Name (eg, city) []:Fitzroy Falls
Organization Name (eg, company) [Internet Widgits Pty Ltd]:James A McDonald
Organizational Unit Name (eg, section) []:Scottsdale
Common Name (eg, YOUR name) []:jamesmcd.dns2go.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- openssl req -x509 -key
jamesmcd.dns2go.com.key -in jamesmcd.dns2go.com.csr -out \
jamesmcd.dns2go.com.crt
- cp jamesmcd.dns2go.com.key
jamesmcd.dns2go.com.crt /usr/local/apache2/conf/ssl/
- chmod 400 /usr/local/apache2/conf/ssl/jamesmcd.dns2go.com.*
James McDonald