Archive for October, 2010

Creating SSL Certificates

Create a Self Signed Certificate :

1. Generate A Server Key : #openssl genrsa -des3 -out server.key 4096

2. Generate the Signing Request using the key above #openssl req -new -key server.key -out server.csr

3.Sign the certificate signing request. #openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

4. Now create a version of key that doesn't need a password : openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key

Generating Your Own Certificate Authority :

In order to create your own CA and sign a server certificate with it. Note: Common name of the CA and the Server Certificates must not match.

Steps :

1. Use IP address if you dont have the FQDN.

openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2.Generate a Server key and request for signing :

openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr

3.Sign the Certificate signing request with the Self created Authority

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Optional : You can check the keys and certificates :

openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr

openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt

4. Remove password from server.key so that apache doesnot need password :

openssl rsa -in server.key -out server.key.insecure

mv server.key server.key.secure

mv server.key.insecure server.key

Finally : Copy the files and adjust apache..

  • copy the .crt and .key file to /etc/httpd/conf/
  • Turn on the SSL engine and reference the server.crt and server.key
  • Edit ssl.conf

                      SSLEngine on

                      SSLCertificateFile /etc/httpd/ssl.crt/server.crt

                     SSLCertificateKeyFile /etc/httpd/ssl.key/server.key

configure apache to listen to https :

                     Listen x.x.x.x:443

                     LoadModule ssl_module modules/mod_ssl.so

configure SSL

                    Virtual Host : DocumentRoot "/var/www-ssl/html"

                   ServerName xxx.xxx.xxx.xxx:443

Now Restart Apache and you have ssl working on your site.