Generate Apache SSL certificates
- May 28, 2009
- 0 Comment
- Linux System Admin
- Posted by Gee
To use https for web traffic, you will need to obtain a valid Apache SSL certificate.
When generating an Apache (mod_ssl) SSL certificate, you have two options:
- Purchase a SSL certificate from a certificate authority (CA). Searching the Web for “certificate authority” will present several choices.
- Generate a self-signed certificate. This option costs nothing and provides the same level of encryption as a certificate purchased from a certificate authority (CA). However, this option can be a mild annoyance to some users, because Internet Explorer (IE) issues a harmless warning each time a user visits a site that uses a self-signed certificate.
Regardless of which option you select, the process is almost identical.
Know the fully qualified domain name (FQDN) of the website for which you want to request a certificate. If you want to access your site through https://www.domain.tld., then the FQDN of your website is www.domain.tld.
Note: This is also known as your common name.
Generate the key with the SSL genrsa command.
openssl genrsa -out www.domain.tld.key 1024
This command generates a 1024 bit RSA private key and stores it in the file www.domain.tld.key. Back up your www.domain.tld.key file, because without this file your SSL certificate will not be valid.
Generate the CSR with SSL req command.
openssl req -new -key www.domain.tld.key -out www.domain.tld.csr
This command will prompt you for the X.509 attributes of your certificate. Give the fully qualified domain name, such as www.domain.tld, when prompted for Common Name.
Note: Do not enter your personal name here. It is requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website.
Generate a self-signed certificate.
openssl x509 -req -days 370 -in www.domain.tld.csr -signkey www.domain.tld.key -out www.domain.tld.crt
This command will generate a self-signed certificate in www.domain.tld.crt.
You will now have an RSA private key in www.domain.tld.key, a Certificate Signing Request in www.domain.tld.csr, and an SSL certificate in www.domain.tld.crt. The self-signed SSL certificate that you generated will be valid for 370 days.