Next
Previous
Contents
The following section covers the steps involved in creating the private key
file, certificate signing request, and a self-signed certificate. If you
plan to obtain a certificate signed by a certificate authority, you will
need to create a certificate signing request (CSR). Otherwise, you can
create a self-signed certificate.
To create a private key, you must have the OpenSSL toolkit installed and
configured with Apache. The following examples use the OpenSSL command line
tool which is located in the /usr/local/ssl/bin directory by default. The
examples assume that the directory containing the OpenSSL command line tool
has been added to the $PATH.
To create a private key using the triple des encryption standard
(recommended), use the following command:
openssl genrsa -des3 -out filename.key 1024
You will be prompted to enter and re-enter a pass phrase. If you choose to
use triple des encryption, you will be prompted for the password each time
you start the SSL server from a cold start. (When using the restart
command, you will not be prompted for the password). Some of you may find
this password prompt to be a nuisance, especially if you need to boot the
system during off-hours. Or, you may believe that your system is already
sufficiently secure. So, if you choose not to have a password prompt (hence
no triple des encryption), use the command below. If you would rather
create just a 512-bit key, then omit the 1024 at the end of the command and
OpenSSL will default to 512 bits. Using the smaller key is slightly
faster, but it is also less secure.
To create a private key without triple des encryption, use the following
command:
openssl genrsa -out filename.key 1024
To add a password to an existing private key, use the following command:
openssl -in filename.key -des3 -out newfilename.key
To remove a password from an existing private key, use the following
command:
openssl -in filename.key -out newfilename.key
Note: Your private key will be created in the current directory unless
otherwise specified. There are 3 easy ways to deal with this. If OpenSSL
is in your path, you can run it from the directory that you have designated
to store your key files in (default is /etc/httpd/conf/ssl.key if you
installed Apache using the RPM or /usr/local/apache/conf/ssl.key if you
installed Apache using the source files). Another solution is to copy the
files from the directory where they were created to the correct directory.
And, last but not least, you can specify the path when running the command
(eg. openssl genrsa -out /etc/httpd/conf/ssl.key/filename.key 1024).
Doesn't matter how you do it as long as it gets done before you proceed.
For more information on the OpenSSL toolkit check out:
OpenSSL Website.
To obtain a certificate signed by a certificate authority, you will need to
create a Certificate Signing Request (CSR). The purpose is to send the
certificate authority enough information to create the certificate without
sending the entire private key or compromising any sensitive information.
The CSR also contains the information that will be included in the
certificate, such as, domain name, locality information, etc.
- Locate the private key that you would like to creat a CSR from. Enter the
following command:
openssl req -new -key filename.key -out filename.csr
- You will be prompted for Locality information, common name (domain name),
organizational information, etc. Check with the CA that you are applying to
for information on required fields and invalid entries.
- Send the CSR to the CA per their instructions.
- Wait for your new certificate and/or create a self-signed certificate. A
self-signed certificate can be used until you receive your certificate from
the certificate authority.
Note: Use the following command to create a private key and request at the
same time.
openssl genrsa -des3 -out filename.key 1024
It is not necessary to create a self-signed certificate if you are obtaining
a CA-signed certificate. However, creating a self-signed certificate is very
simple. All you need is a private key and the name of the server (fully
qualified domain name) that you want to secure. You will be prompted for
information such as locality information, common name (domain name),
organizational information, etc. OpenSSL gives you a great deal of freedom
here. The only required field for the certificate to function correctly is
the common name (domain name) field. If this is not present or incorrect,
you will receive a Certificate Name Check warning from your browser.
To create a self-signed certificate:
openssl req -new -key filename.key -x509 -out filename.crt
If you followed these instructions so far you shouldn't have any problems at
this point. If you sent your CSR to a certificate authority and you have
not gotten your certificate back yet, you can take a break now! If you are
using a self-signed certificate, or you have received your certificate, you
may continue.
- Ensure that the private key file is in the directory that you have chosen to
use. The following examples will be based on the RedHat RPM installation
default of
/etc/httpd/conf/ssl.key.
- Ensure that the CA-signed or self-signed certificate is in its designated
location. Again, I will be using the RPM default of
/etc/httpd/conf/ssl.crt. If it is not there already, put it there.
- If there is an intermediate (root) certificate to be installed, copy it to
the
/etc/httpd/conf/ssl.crt directory, also.
- Now, you will be required to edit the httpd.conf file. Make a back-up of
this file before you proceed to the next step,
Configuring your Apache Server.
Next
Previous
Contents
|
Free eBook: 
