Okay, so I create SSL certificates infrequently enough that I can't just remember the procedure and syntax for doing so. However, I do it often enough to warrant a web page on the subject -- especially since the places I currently refer to may go away some day.
To be clear, this procedure is for Apache with mod_ssl. It is also good for other things that use the OpenSSL library (like IMAP-UW).
Creating an SSL Key and CSR
Okay, I normally do this in the /usr/local/certs directory. The steps I follow are to:
- Select a passphrase for the key, and because I'll never use it again, store it in a little text file with a .pw extension
- Create the private key
- Create a version of the private key that doesn't contain the passphrase, since I don't want to manually type passphrases every time the web server is started
- Create a Certificate Signing Request (CSR)
The only trick to this is that, when creating the CSR, the "Common Name" must be the FQDN of the web site it will be associated with. For example, if the certificate will be used at "https://www.coreth.com/", the Common Name should be set to "www.coreth.com".
The CSR is sent to the signing authority, and they sign it and send back a certificate.
Below are the exact steps I follow when I do this (replace "server" with a name associated with your web site):
vi server.pw openssl genrsa -des3 -out server.key.secure 1024 openssl rsa -in server.key.secure -out server.key openssl req -new -key server.key -out server.csr
To sign your own certificates, you need to create a Certificate Authority. You should only have to do this once (well, every 365 days perhaps).
vi ca.pw openssl genrsa -des3 -out ca.key 1024 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Note that there is nothing magic about 365. If you don't want to mess with this every year, you can sign it for a much larger number of days.
If you already have a ca.crt, you can use the sign.sh script to sign CSRs. The sign.sh script is found in the mod_ssl source distribution, and I normally stick it in /usr/local/bin for ease of use. The script signs the CSR and outputs a server.csr file.
Yeah, I should probably write about how to reference the files from Apache, but I'm too lazy, and there should be good examples in the config file already. Maybe later.
There is a FAQ over at modssl.org which has some good information about certificates and using the openssl utility.
Simple Self-Signed Certificates?
Could it really be this simple?
openssl genrsa -out server.key 2048 openssl req -new -x509 -key server.key -out server.cert -days 3650
Be sure to supply the FQDN of the web site when asked for the Common Name.