Monday, May 09, 2005
SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it?
Here is a step-by-step description:
1. Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.
2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:
$ openssl rsa -noout -text -in server.key
And you could create a decrypted PEM version (not recommended) of this RSA private key via:
$ openssl rsa -in server.key -out server.key.unsecure
3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
$ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command
$ openssl req -noout -text -in server.csr
4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have two options: First you can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look at the following locations:
1. Verisign
http://digitalid.verisign.com/server/apacheNotice.htm
2. Thawte Consulting
http://www.thawte.com/certs/server/request.html
3. CertiSign Certificadora Digital Ltda.
http://www.certisign.com.br
4. IKS GmbH
http://www.iks-jena.de/produkte/ca/
5. Uptime Commerce Ltd.
http://www.uptimecommerce.com
6. BelSign NV/SA
http://www.belsign.be
Second you can use your own CA and now have to sign the CSR yourself by this CA. Read the next answer in this FAQ on how to sign a CSR with your CA yourself. You can see the details of the received Certificate via the command:
$ openssl x509 -noout -text -in server.crt
5. Now you have two files: server.key and server.crt. These now can be used as following inside your Apache's httpd.conf file:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
The server.csr file is no longer needed.
Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it?
Here is a step-by-step description:
1. Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.
2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:
$ openssl rsa -noout -text -in server.key
And you could create a decrypted PEM version (not recommended) of this RSA private key via:
$ openssl rsa -in server.key -out server.key.unsecure
3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
$ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command
$ openssl req -noout -text -in server.csr
4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have two options: First you can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look at the following locations:
1. Verisign
http://digitalid.verisign.com/server/apacheNotice.htm
2. Thawte Consulting
http://www.thawte.com/certs/server/request.html
3. CertiSign Certificadora Digital Ltda.
http://www.certisign.com.br
4. IKS GmbH
http://www.iks-jena.de/produkte/ca/
5. Uptime Commerce Ltd.
http://www.uptimecommerce.com
6. BelSign NV/SA
http://www.belsign.be
Second you can use your own CA and now have to sign the CSR yourself by this CA. Read the next answer in this FAQ on how to sign a CSR with your CA yourself. You can see the details of the received Certificate via the command:
$ openssl x509 -noout -text -in server.crt
5. Now you have two files: server.key and server.crt. These now can be used as following inside your Apache's httpd.conf file:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
The server.csr file is no longer needed.
# posted by Dr. Martin Menzel @ 10:06 AM 
