Howto create a self signed SSL certificate for use with Apache

The following is a quick listing of the commands you need to use when setting up an SSL key for Apache that doesn't require a passphrase to be entered during normal operations, and includes a self-signed certificate so you needn't bother with cert requests and CAs. The sequence of events is to create a 3DES key, remove the passphrase, and then generate a self-signed certificate.

The following commands are to be entered via the command line, with each openssl statement requiring interactive input. So do not run these commands via the web control panel command line!
Execute these commands in a temp. work directory.

openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -key server.key -x509 -out server.crt -days 999
cp server.key /usr/local/apache/conf/ssl.key/
cp server.crt /usr/local/apache/conf/ssl.crt/
rc_httpd restart

Sample run

Here's a sample run on my FREESCO:

[root@Freesco] openssl genrsa -des3 -out pass.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..++++++
..........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

The pass phrase doesn't really matter, because it's removed later, but make sure to remember that pass phrase for the next step! (people with short term memory problems should probably write it down ;-))

This step removes the pass phrase:

[root@Freesco] openssl rsa -in pass.key -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key

Next create the certificate and sign it with your newly created key:

[root@Freesco] openssl req -new -key server.key -x509 -out server.crt -days 999
Using configuration from /pkg/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Overijsel
Locality Name (eg, city) []:Zwolle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dingetje's FREESCO Portal
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, YOUR name) []:http://dingetje.homeip.net/
Email Address []:webmaster@dingetje.homeip.net

Now place the newly created certificate and server key in the correct directory for Apache to find:

[root@Freesco] cp server.key /usr/local/apache/conf/ssl.key/
[root@Freesco] cp server.crt /usr/local/apache/conf/ssl.crt/

Finally restart Apache:

[root@Freesco] rc_httpd restart
Stopping http servers...                Done
Starting control http server...         Done  Port 82
Starting Apache HTTP(S) server...       Done

Test

You can test your new certificate using a browser by connecting to https://your.freesco.ip/, alternatively you can use the following command from the console:

[root@Freesco] openssl s_client -connect localhost:443
HEAD / HTTP/1.0

You need to enter HEAD / HTTP/1.0 (exactly like that!) and then hit ENTER twice. Your new certificate is printed to the console as well as the HEAD information of your Apache server.

Credits

Based on http://www.rpatrick.com/tech/makecert/, modified for FREESCO by — dingetje 2006/09/15 10:53

 
freesco/howtos/ssl_cert.txt (21919 views) · Last modified: 2007/01/29 19:36 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki