Recent Changes - Search:


Code:


Social:


My journals will take the place of a blog. If you go to the Journal page there is an RSS feed to subscribe with.

(:blogcal group=Journal:)


Sites I take responsibility for

West Volusia, Florida

Documents

Technical

General

Me

Living

Places I frequent

Hobbies

Humor

Items for sale:


Clipboard

edit SideBar

Creating SSL certificates in Apache using OpenSSL

Include our styles below Infobox - invoke as >>infobox<< ... >><<

Codebox: - invoke as >>codebox<< ... >><<

warnbox: - invoke as >>codebox<< ... >><<

editingbox: - invoke as >>codebox<< ... >><<

noticebox: - invoke as >>codebox<< ... >><<

Page bread crumbs: Main - MyPublicTechnicalNotes - SoftwareAndOperatingSystems - Software - Server - Web - Apache - Certificates

Pages by tags: (:listtags:)
Subscribe to this wiki: RSS Feed RSS or subscribe to this page for changes: RSS Feed RSS
496 articles have been published so far. Recent changes
(:addThis btn="custom":)

2016-03-22: This site is being moved to my main site at https://kevininscoe.com/wiki as part of a consolidation to one domain.


See also SSL

Notes:

http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/

http://www.onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

This example assumes you are using Apache 2.x or higher and Apache module mod_ssl and NOT Apache-SSL.

First determine your Apache root directory. /etc/httpd is assumed in this example.

This examples creates both a self-signed SSL certificate and CSR (request) for a signed certificate from a Certificate Authority.

If you want to be your own CA well that's beyond the scope of this article but have a look here.

This example assumes a certificate for a server called foo.bar.com.

Steps:

First create the server key:

 # cd /etc/httpd/conf
 # openssl genrsa -out foo.bar.com.key 1024
 Generating RSA private key, 1024 bit long modulus
 .....++++++
 ..........++++++
 e is 65537 (0x10001)

Now create the CSR (certificate request):

 # openssl req -new -key foo.bar.com.key -out foo.bar.com.csr
 Using configuration from /usr/share/ssl/openssl.cnf
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [GB]:US
 State or Province Name (full name) [Berkshire]:Florida 
 Locality Name (eg, city) [Newbury]:Deltona
 Organization Name (eg, company) [My Company Ltd]:Widgets Inc,.
 Organizational Unit Name (eg, section) []:Foo Division
 Common Name (eg, your name or your server's hostname) []:foo.bar.com

IMPORTANT: The CN (Common Name) MUST match your actual published server name or the clients will get nasty security errors particularly in Firefox browsers.

 Email Address []:admin@bar.com

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

I generally leave this blank but if you want to create a challenge password for security have a look at http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslpassphrasedialog.

Display the CSR:

 # cat /etc/httpd/conf/foo.bar.com.csr

 
-----BEGIN CERTIFICATE REQUEST-----
MIIB4DCCAUkCAQAwgZ8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMRAw
DgYDVQQHEwdPcmxhbmRvMREwDwYDVQQKEwhIYXJjb3VydDEZMBcGA1UECxMQSGFy
Y291cnQgQWNoaWV2ZTEYMBYGA1UEAxMPaGlyby5oZW13ZWIuY29tMSQwIgYJKoZI
hvcNAQkBFhVuaWNhZG1pbkBoYXJjb3VydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMn85i0T6gSuyKL7pNv5ECFBxSYszdemh1y42KYFn/c2xlZfSB/Y
mfkCbluMaeoZx2GttoydHzCjH6JrqNJ5sHD9OCvFxkBgNJbTUOfBfDxzMNlvsbcl
r85CG+00UnPFrWVe1oh+EznKMhmtuXNLgzXmDb/OYr17f2yOOvgtQayXAgMBAAGg
ADANBgkqhkiG9w0BAQQFAAOBgQCVxD2v9FIrck/lDkgXWhorILuJP27Z3KotyoCk
pmFACdqeVh3MDgj+nvx7xzG/YBU3F73yHUXpITJHz5LpzUrw4E3dAD4rZFC9ztGu
EH7iZ5E8O0Br7ey/Xna6S74X7eszc3fJCmbanr5avFl5PzNo1TNeuGrwbvaymfKN
HL1T6Q==
-----END CERTIFICATE REQUEST-----

Submit CSR to Endtrust, Verisign, Godaddy or some well known CA provider.

Later when the CA is supplied by the CA authority:

Open a web browser and go to the URL that appears in the confirmation email you received from Entrust. Your certificates are displayed. The Entrust Certificate Services web server certificate is in the section named "Entrust Certificate Services web server certificate".

Your certificate will look something like this:

 
-----BEGIN CERTIFICATE-----
MIIGHDCCBYWgAwIBAgIEQoZEdDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UE
BhMCVVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50
cnVzdC5uZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTEl
MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UE
AxMxRW50cnVzdC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1
dGhvcml0eTAeFw0wNjAzMDgxODQ4MTBaFw0wNzAzMDgxOTE1MDVaMIGHMQsw
CQYDVQQGEwJVUzEQMA4GA1UECBMHRmxvcmlkYTEQMA4GA1UEBxMHT3JsYW5k
bzERMA8GA1UEChMISGFyY291cnQxJzAlBgNVBAsTHkhhcmNvdXJ0IEVkdWNh
dGlvbiBNZWFzdXJlbWVudDEYMBYGA1UEAxMPaGlyby5oZW13ZWIuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ/OYtE+oErsii+6Tb+RAhQcUm
LM3XpodcuNimBZ/3NsZWX0gf2Jn5Am5bjGnqGcdhrbaMnR8wox+ia6jSebBw
/TgrxcZAYDSW01DnwXw8czDZb7G3Ja/OQhvtNFJzxa1lXtaIfhM5yjIZrblz
S4M15g2/zmK9e39sjjr4LUGslwIDAQABo4IDVTCCA1EwCwYDVR0PBAQDAgWg
MCsGA1UdEAQkMCKADzIwMDYwMzA4MTg0ODEwWoEPMjAwNzAzMDgxOTE1MDVa
MBEGCWCGSAGG+EIBAQQEAwIGQDATBgNVHSUEDDAKBggrBgEFBQcDATCCAWgG
A1UdIASCAV8wggFbMIIBVwYJKoZIhvZ9B0sCMIIBSDAmBggrBgEFBQcCARYa
aHR0cDovL3d3dy5lbnRydXN0Lm5ldC9jcHMwggEcBggrBgEFBQcCAjCCAQ4a
ggEKVGhlIEVudHJ1c3QgU1NMIFdlYiBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBQ
cmFjdGljZSBTdGF0ZW1lbnQgKENQUykgYXZhaWxhYmxlIGF0IHd3dy5lbnRy
dXN0Lm5ldC9jcHMgIGlzIGhlcmVieSBpbmNvcnBvcmF0ZWQgaW50byB5b3Vy
IHVzZSBvciByZWxpYW5jZSBvbiB0aGlzIENlcnRpZmljYXRlLiAgVGhpcyBD
UFMgY29udGFpbnMgbGltaXRhdGlvbnMgb24gd2FycmFudGllcyBhbmQgbGlh
YmlsaXRpZXMuIENvcHlyaWdodCAoYykgMjAwMiBFbnRydXN0IExpbWl0ZWQw
ggEZBgNVHR8EggEQMIIBDDAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5l
dC9zZXJ2ZXIxLmNybDCB36CB3KCB2aSB1jCB0zELMAkGA1UEBhMCVVMxFDAS
BgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5uZXQv
Q1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVz
dC5uZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEO
MAwGA1UEAxMFQ1JMOTcwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX8+1i
0BowHQYDVR0OBBYEFMmm9S2ANunlnQeK1E8RjXQJllgHMAkGA1UdEwQCMAAw
GQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAygwDQYJKoZIhvcNAQEFBQADgYEA
ZZ5cYR5i9+Z0brwGkSTacKjMgXcSU7uQqRRMZuuxmnbKXYJXVpI8FTzHzNDO
PP0ZBI10zzTiVDIxNLyWbIi1dItLZ78oIS5L6yduLOmPmalUdoQJkXriQNFG
TRVlLFAME34PNeSWq0p3B2ullO/G5qPh3xMZtwEOPAJk2wXbhsA=
-----END CERTIFICATE-----

Copy the Server Certificate to your clipboard. You must include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.

Paste the certificate into a text editor, and ensure that the entire text is flushed to the left with no leading or trailing white space.

If there are any extra spaces the server will not recognize the format of the file and you will not be able to install the certificate.

Apache:

Now make sure your vhost or httpd.conf configuration uses the files we have created above:

Typical statements look like this:

 <VirtualHost 192.168.1.1:443>
        SSLEngine on
        ServerAdmin admin@bar.com
        DocumentRoot /var/www/foobar.com/htdocs
        ServerName foo.bar.com
        ErrorLog /var/log/apache2/foo.bar.com-error_log
        CustomLog /var/log/apache2/foo.bar.com-access_log combined
        ErrorDocument 404 /
        SSLCertificateFile /etc/httpd/conf/foo.bar.com.crt
        SSLCertificateKeyFile /etc/httpd/conf/foo.bar.com.key
        SSLCertificateChainFile /etc/httpd/conf/bundle.crt
 </VirtualHost>

 Now run your Apache check and restart:

 # apachectl configtest

 # apachectl restart

Self-signed:

Now while you are waiting for the certificate to be signed by the Certificate Authority (CA). You can create a self-signed certificate like so (assuming 1462 days for expiration):

 # openssl x509 -req -days 1461 -in foo.bar.com.csr -signkey foo.bar.com.key -out foo.bar.com.crt

 Signature ok
 subject=/C=US/ST=Florida/L=Deltona/O=Widgets Inc./OU=Foo Division/CN=foo.bar.com/emailAddress=admin@bar.com
 Getting Private key

Now after you have received your signed certificate:

Copy the self-signed cert first in case there is a problem.

 # cp /etc/httpd/conf/foo.bar.com.crt /etc/httpd/conf/foo.bar.com.crt.orig

Save the certificate as file /etc/httpd/conf/foo.bar.com.crt.new

When you are ready to restart the Apache (downtime has been arranged):

 # mv /etc/httpd/conf/foo.bar.com.crt.new /etc/httpd/conf/foo.bar.com.crt

You will now have to restart Apache (this effects all web servers on this machine!!!)

 # apachectl restart

Check the CA by opening up https://foo.bar.com in a browser and verifying the certificate is good, signed properly and has the expiration date you expected.


Kevin's Public Wiki maintained and created by Kevin P. Inscoe is licensed under a
Creative Commons Attribution 3.0 United States License.

Back to my web site - http://kevininscoe.com

Edit - History - Print - Recent Changes - Search
Page last modified on February 24, 2014, at 03:27 PM EST