The following is a quick listing of the commands you need to use when setting up an SSL key for Apache that doesn't require a passphrase to be entered during normal operations, and includes a self-signed certificate so you needn't bother with cert requests and CAs. The sequence of events is to create a 3DES key, remove the passphrase, and then generate a self-signed certificate.
The following commands are to be entered via the command line, with each openssl statement requiring interactive input. So do not run these commands via the web control panel command line!
Execute these commands in a temp. work directory.
openssl genrsa -des3 -out pass.key 1024
openssl rsa -in pass.key -out server.key
openssl req -new -key server.key -x509 -out server.crt -days 999
cp server.key /usr/local/apache/conf/ssl.key/
cp server.crt /usr/local/apache/conf/ssl.crt/
Here's a sample run on my FREESCO:
[root@Freesco] openssl genrsa -des3 -out pass.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ..++++++ ..........++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:
The pass phrase doesn't really matter, because it's removed later, but make sure to remember that pass phrase for the next step! (people with short term memory problems should probably write it down )
This step removes the pass phrase:
[root@Freesco] openssl rsa -in pass.key -out server.key read RSA key Enter PEM pass phrase: writing RSA key
Next create the certificate and sign it with your newly created key:
[root@Freesco] openssl req -new -key server.key -x509 -out server.crt -days 999 Using configuration from /pkg/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:Overijsel Locality Name (eg, city) :Zwolle Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dingetje's FREESCO Portal Organizational Unit Name (eg, section) :Admin Common Name (eg, YOUR name) :http://dingetje.homeip.net/ Email Address :firstname.lastname@example.org
Now place the newly created certificate and server key in the correct directory for Apache to find:
[root@Freesco] cp server.key /usr/local/apache/conf/ssl.key/ [root@Freesco] cp server.crt /usr/local/apache/conf/ssl.crt/
Finally restart Apache:
[root@Freesco] rc_httpd restart Stopping http servers... Done Starting control http server... Done Port 82 Starting Apache HTTP(S) server... Done
You can test your new certificate using a browser by connecting to https://your.freesco.ip/, alternatively you can use the following command from the console:
[root@Freesco] openssl s_client -connect localhost:443 HEAD / HTTP/1.0
You need to enter HEAD / HTTP/1.0 (exactly like that!) and then hit ENTER twice. Your new certificate is printed to the console as well as the HEAD information of your Apache server.