Kalinga's Community Support Forum

Community Support

Skip to content

Self signed SSL Certificate with OpenSSL + Apache

Talk about any thing that related to networking, running servers with *nux.

Moderator: kalinga

Post a reply

Self signed SSL Certificate with OpenSSL + Apache

Postby kalinga » Fri Oct 28, 2005 10:28 am

The following instructions are from http://www.apache-ssl.org/#FAQ.

openssl req -new -out my-server.csr

This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. http://www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out my-server.key

This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:

openssl x509 -in my-server.cert -out my-server.der.crt -outform DER

Create an Apache/conf/ssl directory and move my-server.key and my-server.cert into it.


Add the following to the end of httpd.conf:

# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK

<VirtualHost http://www.my-server.dom:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
</VirtualHost>
kalinga
Site Admin
 
Posts: 209
Joined: Fri Oct 14, 2005 3:19 pm
Location: Sri Lanka
Top
Post a reply

Return to Linux - Networking

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
cron