Viedumu Vietne ar Sandi


Four commands to generate SSL certificate for Apache

Filed under: Tech — Sandis @ 7:55

1) openssl genrsa -des3 -out your.key 1024
2) openssl req -new -key your.key -out your.csr
3) openssl x509 -req -days 36500 -in your.csr -signkey your.key -out your.crt
4) cp your.key your.key.orig; openssl rsa -in your.key.orig -out your.key

What the commands do:
1) Rsa private key is generated. With this key all other certificates will be signed. “des3” means cipher method used. For other cipher methods, see openssl manual. “1024” means 1024-bit key.
2) The public key is generated (CSR means Certificate Signing Request). This should be sent to Certifying Authority, and they will convert it into real certificate. Fill out the form with information and remember to enter correct “Common name” – your full domain name.
3) But instead a self signed certificate will be created. Command is using x509 standart and issuing certificate for 36500 days (~100 years).
4) Most important part. Removing RSA encryption from private key file. From security viewpoint, it is dangerous, because this leaves initial keycode without password. However, if you want to use this certificate for Apache SSL on a standalone server (or you just don’t want to enter passwords everytime you start a computer), there is no other choice. If you leave your key unencrypted, everyone who get’s it can use it, so it is advised to use “chmod 400” on key file. If you leave your key encrypted, everytime computer boots, apache asks for key file password. On a standalone server in server room this means halt & administrator interference.


Atstāt komentāru »

Vēl nav komentāru.

RSS feed for comments on this post. TrackBack URI


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Mainīt )

Twitter picture

You are commenting using your Twitter account. Log Out / Mainīt )

Facebook photo

You are commenting using your Facebook account. Log Out / Mainīt )

Google+ photo

You are commenting using your Google+ account. Log Out / Mainīt )

Connecting to %s blogs.

%d bloggers like this: