Generating private key & CSR for Apache mod_ssl

Select five large, relatively random files to use as random seed enhancers... compressed log files might be a reasonable choice, or some data from /dev/random. You don't need to do this, but it may help with security by giving better entropy. If you don't want to do this, just leave out the -rand file1:..:file5 from the command below.

Generate private key for server

Generate the private key to be used for the server with the following command:

openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out www.example.com.key 1024

That will generate a 1024 bit RSA private key. It will ask for a passphrase, choose something secure to protect the key in case it got stolen. The passphrase will have to be entered to start Apache each time. If you want to leave out the passphrase (bad idea, if someone steals the key they can impersonate your server), then leave out the -des3 option.

Generate CSR (certificate signing request)

Generate the CSR (certificate signing request) with:

openssl req -new -key www.example.com.key -out www.example.com.csr

You will be asked for the X.509 attributes of the certificate. Remember that 'common name' MUST be the FQDN of the server you intend to use the certificate for (e.g. secure.example.com).

The CSR (certificate signing request) now needs to be sent to Thawte or whoever you are applying for the SSL certificate from.

Generate self-signed certificate

If you wish to generate a self-signed certificate (e.g. for an internal machine, or to test the server setup before receiving your certificate from the CA you applied to, use:

openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.cert

This will leave you with a self-signed certificate in www.example.com.cert which can be applied to the webserver.

You tell Apache to use the certificate with the lines in your secure VirtualHost like:

SSLCertificateFile /path/to/your/www.example.com.cert
SSLCertificateKeyFile /path/to/your/www.example.com.key

Verifying private key

You can get information about a the server's private key with:

openssl rsa -noout -text -in www.example.com.key

~~~DISCUSSION~~~

 
apache/certs.txt · Last modified: 2010/02/26 10:45 (external edit)
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki