Open Source Software and Linux

Dec 11 2008   3:24PM GMT

Generate a self signed SSL certificate for your Apache Web Server

John Little Profile: Xjlittle

Tags:
Lotus Domino

After getting tired of clicking ok to the certificate messages that popped up every time I or someone else accessed my personal Apache Web Server using SSL I decided to generate my own self signed SSL certificate.

Note that all of these steps are performed on a CentOS or Red Hat apache web server. Depending on the paths that you have setup in your httpd.conf or virtualhost container your paths may be somewhat different. Simply substitute your paths for the ones that I use when I copy my certificates into the designated path.

Let’s get started. First cd into the /etc/pki/tls directory. You have three commands to enter here to finally generate your self signed certificate. You may name the certificate anything that you want. I chose to use my server’s name.

First issue each of the following commands. All three are necessary to generate your ssl certificate. I will comment on them either in the code or just below the code.

##First command to generate the key
[root@web tls]# openssl genrsa -rand /etc/passwd:/etc/group:/etc/httpd/web-sites/hosts-ssl -out secserve.sytes.net.key 1024
7843 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
........++++++
........................++++++
e is 65537 (0x10001)

##second command
[root@web tls]# openssl req -new -key secserve.sytes.net.key -out secserve.sytes.net.csr You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Indiana
Locality Name (eg, city) [Newbury]:Plainfield
Organization Name (eg, company) [My Company Ltd]:MyWeb
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your name or your server’s hostname) []:secserve.sytes.net
Email Address []:jlittle_97@yahoo.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

##third command
[root@web tls]# openssl x509 -req -days 730 -in secserve.sytes.net.csr -signkey secserve.sytes.net.key -out secserve.sytes.net.crt
Signature ok
subject=/C=US/ST=Indiana/L=Plainfield/O=MyWeb/OU=Web/CN=secserve.sytes.net/emailAddress=jlittle_97@yahoo.com
Getting Private key
[root@web tls]# ls
cert.pem certs misc openssl.cnf private secserve.sytes.net.crt secserve.sytes.net.csr secserve.sytes.net.key

The first command generates the rsa key file. You can use random files as I did to help generate the key or leave them out and let openssl generate it’s own key. The 1024 at the end is to make it a 1024 bit key.

The second command generates the csr file. This is where you put in your information about your location and server name. The server name referred to here is the internet name of the web server, not the name of the machine on which the server is running. Be sure and substitute your own values for the ones that I have. Leave the challenge password and optional company name entries blank.

The third command is generating the private key for your server. TThe -req -days is set to 720 days or 2 years.. The ls command is used to verify that the files are there.

Now you need to check your apache web server to find out where it looks for your signed ssl certificate files. My SSL server is on a virtual host. I keep my virtual host container file in a directory located at /etc/httpd/web-hosts with a file name of hosts-ssl. Let’s open that to the secserve container and see where apache expects to see the ssl certificate.

[root@web tls]# vim /etc/httpd/web-sites/hosts-ssl

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/secserve.sytes.net.crt
SSLCertificateKeyFile /etc/httpd/ssl/secserve.sytes.net.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown

ServerAdmin jlittle_97@yahoo.com
ServerName secserve.sytes.net

 

I can see in my container that secserve.sytes.net is my web server and that it expects to find the ssl certificate files under /etc/httpd/ssl/(filename.{crt,key}. Copy all three of the files from the /etc/pki/tls directory where you generated them into this directory. Note that you can designate any directory where you want to place your files.

All that’s left is to restart or reload the web server.

You can check under /var/log/httpd/ to make sure that there are no errors generated by the ssl certificate files. If not you are good to go.

A couple of notes are in order here. In the first command you can use the switch -des3 which will encrypt the files and force you to use a password to complete the ssl certicates. While this a very secure way to protect your web server it is not very practical, at least for me. Every time the web server is restarted you will have to put in the password. Aside from being a little inconvenient what if someone has to reboot the machine or restart the apache web service that doesn’t and should not know the password?

My suggestion around the above scenarios is to chmod your keys to 600 and make sure that root is the owner.

So now you can generate your own self signed SSL certificate. This process will work for other SSL applications such as Dovecot.

One last note. If you have a ServerAlias that you use to access your web site from inside your firewall you can also generate a certificate for it as well. Just use the ServerAlias name in your configuration file.

You can probably have the complete setup done in less time than it takes to read this article.

Have fun!

-j

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: