SSL Certificates

Okay, so I create SSL certificates infrequently enough that I can't just remember the procedure and syntax for doing so. However, I do it often enough to warrant a web page on the subject -- especially since the places I currently refer to may go away some day.

To be clear, this procedure is for Apache with mod_ssl. It is also good for other things that use the OpenSSL library (like IMAP-UW).

Creating an SSL Key and CSR

Okay, I normally do this in the /usr/local/certs directory. The steps I follow are to:

  1. Select a passphrase for the key, and because I'll never use it again, store it in a little text file with a .pw extension
  2. Create the private key
  3. Create a version of the private key that doesn't contain the passphrase, since I don't want to manually type passphrases every time the web server is started
  4. Create a Certificate Signing Request (CSR)

The only trick to this is that, when creating the CSR, the "Common Name" must be the FQDN of the web site it will be associated with. For example, if the certificate will be used at "https://www.coreth.com/", the Common Name should be set to "www.coreth.com".

The CSR is sent to the signing authority, and they sign it and send back a certificate.

Below are the exact steps I follow when I do this (replace "server" with a name associated with your web site):

vi server.pw
openssl genrsa -des3 -out server.key.secure 1024
openssl rsa -in server.key.secure -out server.key
openssl req -new -key server.key -out server.csr

Self-Signed Certificates

To sign your own certificates, you need to create a Certificate Authority. You should only have to do this once (well, every 365 days perhaps).

vi ca.pw
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Note that there is nothing magic about 365. If you don't want to mess with this every year, you can sign it for a much larger number of days.

If you already have a ca.crt, you can use the sign.sh script to sign CSRs. The sign.sh script is found in the mod_ssl source distribution, and I normally stick it in /usr/local/bin for ease of use. The script signs the CSR and outputs a server.csr file.

sign.sh server.csr

Apache Configuration

Yeah, I should probably write about how to reference the files from Apache, but I'm too lazy, and there should be good examples in the config file already. Maybe later.

FAQ

There is a FAQ over at modssl.org which has some good information about certificates and using the openssl utility.