Things to remember when creating Apache SSL certs

Since I don’t create certs all that often, I’ve always been frusterated by having to search out the commands every time I have to make one. Frequently I forget about removing tripple DES from the server.key file, and end up with a cert that makes me enter a psss phraze every time I start up Apache.

Thus, I decided to create an entry here with all the commands, so that I will never have to go searching for them again.

First, change directory into your Apache configuration directory:

# cd /path/to/httpd/conf

Generate the server key (with password):

# openssl genrsa -des3 -out server.key 1024

Optionally, we can generate a key file without a password. This means that Apache will start without requesting a password. This is important should there ever be a power failure, or when a reset is required and no one knows the password. Use the following command:

# openssl rsa -in server.key -out server.pem

A CSR (Certificate Signing Request) is required for afirming that the server key is valid. The server.pem is used in place of server.key as we don’t require a password:

# openssl req -new -key server.pem -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your Cit
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Nam
Organizational Unit Name (eg, section) []:Department Name
Common Name (eg, YOUR name) []: server.spiralbound.net
Email Address []:me@spiralbound.net
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Finally, the certificate needs to be signed. Normally this is done by an official authority such as Thawte. However, if this is not available, we can sign the certificate ourselves. In this example a time limit of 3 years, or 1095 days is set for the amount of time to be valid. Again, we use the server.pem file without a password.

# openssl x509 -req -days 1095 -in server.csr -signkey server.pem -out server.crt

One thought on “Things to remember when creating Apache SSL certs

  1. Thanks for the post on this, I keep it bookmarked for easy reference. One thing I would like to note though is that in your example above, you first make your private key, encrypting it as you do so, and then in your second (optional) command you remove the encryption by inputting the encrypted file and outputting the results to a new plain text file. This can be done in one simple step if you don’t want the encryption to begin with:

    openssl genrsa -out plaintext.key 2048

    Then you can do the remaining steps for CSR and self-signing with that file. Just saves a step, an extra file, and possibly some confusion to someone new to this.

Leave a Reply