1) Create SSL Certificate

• a) create a private key (example name mycertificate used)

  openssl genrsa -des3 -out mycertificate.key 1024

  genrsa indicates to OpenSSL that you want to generate a key pair.
  des3 indicates that the private key should be encrypted and protected by a pass phrase.
  The out switch indicates where to store the results.
  1024 indicates the number of bits of the generated key.

  - Insert your pass phrase when requested

  Apache requests the pass phrase every time it reboots so to stop this you need to decrypt the private key (unsecure but useful)

  mv mycertificate.key mycertificate.key.secure

  openssl rsa -in mycertificate.key.secure -out mycertificate.key

  chmod 400 mycertificate.key

• b) create a certificate signing request (csr)

  openssl req -new -days 365 -key mycertificate.key -out mycertificate.csr

  fill in the requested information BUT use mycertificate as you common name when requested also leave the challenge password blank as well

• c) signing the csr

  this can be achieved in one of 2 ways and results in a .crt file

  1. send the csr to a Certifying Authority (CA) to be signed. paste the .csr details into a form on their website and then they give you a key, save this e.g, vi mycertificate.crt

  2. 2- create your own self signed certificate. You need to use the sign.sh script from the mod_ssl distribution (found in the pkg.contrib folder). Alternatively download it from this site and rename it to sign.sh

     • create an RSA private key for your CA

       openssl genrsa -des3 -out ca.key 1024

     • create the self signed certificate

       openssl req -new -x509 -days 365 -key ca.key -out ca.crt

     • use the new CA to sign the csr

       sign.sh mycertificate.csr

       - this will generate a server.crt file - rename it to mycertificate.crt if you wish

• d) verify private key and certificate 2 ways (first is best, 2nd is quick check)

  1. 1- compare the 2 long numbers generated from the following (probably best to diff them)

     openssl x509 -noout -text -in mycertificate.crt

     openssl rsa -noout -text -in mycertificate.key

  2. 2- compare the 2 short numbers

     openssl x509 -noout -modulus -in mycertificate.crt | openssl md5

     openssl rsa -noout -modulus -in mycertificate.key | openssl md5

2) Use certificates in Apache

• a) copy files to apache conf directory

  cp mycertificate.crt /usr/local/apache/conf/ssl.crt

  cp mycertificate.key /usr/local/apache/conf/ssl.key

• b) add the parameters to httpd.conf (minimal required shown below) e.g,

  <IfDefine SSL> <VirtualHost 127.0.0.1:443> DocumentRoot /home/httpd/private ServerName mywebsite ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine>