Difference between revisions of "CSR Apache"

From Noah.org
Jump to navigationJump to search
m
m
Line 1: Line 1:
From the
 
[http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real|modssl FAQ]
 
  
There are two acceptable types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates. Prior to generating the certificate, decide which is best for your environment.
+
There are two types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates (Snakeoil Certs). Neither one is cryptographically stronger than the other. In other words, a snakeoil cert is <b>not</b> less secure or easier to break. If you are simply want to secure your own private web server
 +
then a Snakeoil cert is fine.
  
For more information on OpenSSL, go to:
+
For more information see:
  
     http://www.openssl.org
+
     [http://httpd.apache.org/docs/2.0/ssl/ Apache2 SSL]
 +
    [http://www.openssl.org OpenSSL]
  
 
== generate a private server key ==
 
== generate a private server key ==
Line 49: Line 49:
 
== Generating a Self-Signed Certificate ==
 
== Generating a Self-Signed Certificate ==
  
Follow these steps to generate a self-signed certificate:
+
foo
  
  1. Log in as root.
+
== Cert Installation ==
  
  2. Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
+
Some systems such as security appliances (load balancers, hardware SSL) will want your SSL Cert as a single file. The Coyote Point Equalizer is like this. You can combine your server.key and server.crt files into a single file simply by concatinating them together. They are plain text files.
 
+
<pre>
          /usr/local/openssl096g/bin
+
    cat server.key server.csr > server.pem
 
+
</pre>
  3. Enter the following command:
 
 
 
          openssl req -x509 -new -key server.key -out server.crt
 
 
 
  4. The following message and series of attributes appear. Be sure to remember all attribute values specified.
 
 
 
You are about to be asked to enter information that
 
will be incorporated into your certificate request.
 
What you are about to enter is what is called a
 
Distinguished Name or a DN. There are quite a few
 
fields but you can leave some blank. For some fields
 
there will be a default value.
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:
 
State or Province Name (full name) [Some-State]:
 
Locality Name (eg, city) []:
 
Organization Name (eg, company) [Internet Widgits \
 
Pty Ltd]:
 
Organizational Unit Name (eg, section) []:
 
Common Name (eg, YOUR name) []:
 
Email Address []:
 
 
 
      The certificate is generated and stored in the file server.crt.
 
 
 
  5. Encrypt the key to prevent the key from being compromised.
 
 
 
          Note: This step is optional. Encrypting the key enhances key security. Once the key is encrypted, any program that needs to access the key will require a user-provided pass phrase. For secure mode operations, this pass phrase is required each time the server starts.
 
 
 
      To encrypt the key, run the following command and type a pass phrase when prompted:
 
 
 
          openssl rsa -des3 -in server.key -out server.key.crypt
 
 
 
read RSA key
 
writing RSA key
 
Enter PEM pass phrase:
 
Verifying password - Enter PEM pass phrase:
 
 
 
  6. Enter the following command:
 
 
 
          mv server.key.crypt server.key
 
 
 
  7. Relocate the files by entering the following commands:
 
 
 
          mkdir TNHOME/etc/httpd/conf/ssl.crt
 
 
 
          mkdir TNHOME/etc/httpd/conf/ssl.key
 
 
 
          chown root server.crt server.key
 
 
 
          chmod 444 server.crt
 
 
 
          chmod 400 server.key
 
 
 
          mv server.crt TNHOME/etc/httpd/conf/ssl.crt
 
 
 
          mv server.key TNHOME/etc/httpd/conf/ssl.key
 
 
 
  8. Restart the HTTP server by entering the following:
 
 
 
          cd /TNHOME/usr/sbin
 
 
 
          ./tnfwshut
 
 
 
          ./tnfwstart
 
  
  9. Enter the pass phrase (if the key is encrypted).
+
This also works on Apache2.
  10. Go to section 2.2 Configuring SSL Support for Secure Framework Sessions of the TAS Administration Manual to complete SSL configuration.
 

Revision as of 15:55, 16 August 2006

There are two types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates (Snakeoil Certs). Neither one is cryptographically stronger than the other. In other words, a snakeoil cert is not less secure or easier to break. If you are simply want to secure your own private web server then a Snakeoil cert is fine.

For more information see: 

   Apache2 SSL
   OpenSSL

generate a private server key

1. Enter the following command: 

   openssl genrsa -out server.key 1024

generate a CA-signed certificate

A Certificate Authority such as Thawte or Verisign verifies certificates. You have to subscribe to this service. It does not improve the crypto security. A CA merely lets your customers know that you are who you say you are.

First you have to generate a Certificate Signing Request (CSR) to give to a CA to obtain a CA-signed certificate:

1. Enter the following command: 

   openssl req -new -key server.key -out server.csr

2. You will be presented with a form to fill out. It's pretty simple. Just make sure that when you are asked for your "Common Name" that you enter your Fully Qualified Domain Name (FQDN) and that it exactly matches the domain name of your server. That includes the www in www.example.com. For example: 

Common Name (eg, YOUR name) []: www.example.com

The certificate is generated and stored in the file server.crt.

3. OPTIONAL -- Encrypt the key to prevent the key from being compromised. This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots. I almost never do this. 

   openssl rsa -des3 -in server.key -out server.key.crypt

4. Make sure that no one can read your private server.key. 

   chmod 400 server.key

5. Submit the CSR to your CA. The CA will provide instructions on how to submit the CSR. Usually you have to paste it into a form on a web page. Once the CSR is processed, the CA will mail you a signed certificate.

6. Store the CA-signed certificate in the file server.crt.

7. Make sure that everyone can read you server.crt: 

   chmod 444 server.crt

Generating a Self-Signed Certificate

foo

Cert Installation

Some systems such as security appliances (load balancers, hardware SSL) will want your SSL Cert as a single file. The Coyote Point Equalizer is like this. You can combine your server.key and server.crt files into a single file simply by concatinating them together. They are plain text files. 

    cat server.key server.csr > server.pem

This also works on Apache2.

Retrieved from "https://www.noah.org/mediawiki-1.34.2/index.php?title=CSR_Apache&oldid=1588"