Thursday, July 15, 2010

SSL using website - Generating an SSL cert for apache2

  1. Generate a the ssl key pair
    openssl genrsa -out 2048
    • using a pass-phrase is problematic since the apache2 server cant boot with the having the pass-phrase input.
    • if you need to use a passphrase then add on -des3 param
  2. Generate a code signing request (without a pass-phrase)
    openssl req -new -key -out
    • do not enter an email address, challenge password or an optional company name when generating the CSR.
    • Enter the info which MATCHES THE WHOIS for the domain or your request is likely to get rejected.
      • Country Name:
      • State or Province: (the capitalized two letter code)
      • Locality or City: (without abbreviations)
      • Company: (without &, @, or any other symbol)
      • Organizational Unit: (optional; to skip hit enter)
      • Common Name: the host name ie "" (make certain it matches the main one used by end customers, to avoid ssl mismatch warnings.)

  3. Send the code code signing request to the certificate authority and wait for them to send the signed certificate back (the crt file).
  4. The files should be stored at the following location with the following permissions/owner. Remember to do it or the key can be viewed and copied.
    /etc/apache2/ssl$ ls -al
    drwxr-xr-x 2 root root 4096 2010-01-08 16:38 .
    drwxr-xr-x 9 root root 4096 2010-01-08 09:42 ..
    -r-------- 1 root root 1354 2010-01-08 09:17
    -r-------- 1 root root 1354 2010-01-08 09:17
    -r-------- 1 root root 1675 2010-01-08 16:38

No comments:

Post a Comment