CSR Apache
Contents
Certificate Signing Request Overview
There are two types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates (Snakeoil Certs). Neither one is cryptographically stronger than the other. In other words, a snakeoil cert is not less secure or easier to break. A CA Signed certificate is simply an assurance by a neutral third party that you are who you say you are. This makes if difficult for you to impersonate anyone else. A self-signed cert means that no one is vouching for you. A browser will always display a warning to the user when connecting to your site.
If you are simply want to secure your own private web server then a Snakeoil cert is fine.
For more information see:
Apache2 SSL OpenSSL
Brief Examples
These assume that you have done this before:
Generate Private Key
openssl genrsa -out server.key 1024
Generate CSR
openssl req -new -key server.key -out server.csr
Generate Self-Signed Certificate (no CSR)
openssl req -x509 -new -days 36500 -key server.key -out server.crt
generate a private server key
Keep your server key private. You may also encrypt the server key, but then you will have to enter your key password every time you start your web server.
openssl genrsa -out server.key 1024
Make sure that no one can read your private server.key.
chmod 400 server.key
OPTIONAL -- Encrypt the server key
This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots. I almost never do this.
openssl rsa -des3 -in server.key -out server.key
View contents of a private server key
openssl rsa -noout -text -in server.key
generate a CA-signed certificate
A Certificate Authority such as Thawte or Verisign verifies certificates. You have to subscribe to this service. It does not improve the crypto security. A CA merely lets your customers know that you are who you say you are.
First you have to generate a Certificate Signing Request (CSR) to give to a CA to obtain a CA-signed certificate:
Generate a Certificate Signing Request (CSR)
To get a signed certificate you need to request one by generating a Certificate Signing Request. Enter the following command:
openssl req -new -key server.key -out server.csr
You will be presented with a form to fill out. It's pretty simple. Just make sure that when you are asked for your "Common Name" that you enter your Fully Qualified Domain Name (FQDN) and that it exactly matches the domain name of your server. That includes the www in www.example.com. For example:
Common Name (eg, YOUR name) []: www.example.com
The certificate is generated and stored in the file server.crt.
View contents of a CSR
openssl req -noout -text -in server.csr
Submit the CSR to your Certificate Authority
The CA will provide instructions on how to submit the CSR. Usually you have to paste it into a form on a web page. Once the CSR is processed, the CA will mail you a signed certificate.
Receive your certificate from your CA
The CA will usually email you back a link to download your new certificate Store the CA-signed certificate in the file server.crt.
Make sure that everyone can read you server.crt:
chmod 444 server.crt
Generating a Self-Signed Certificate
You can skip the CSR step and directly generate your own CRT file. This is sometimes known as a Snakeoil certificate, because it is not signed by a trusted third party such as Thawte or Verisign. This is useful for testing or for small, personal web sites. The encryption is just as good, but your browser will popup a warning because it cannot vouch for the fact that you are who you say you are. The "-days 36500" option sets the certificate to expire in 100 years.
openssl req -x509 -new -days 36500 -key server.key -out server.crt
View contents of a CRT
openssl x509 -noout -text -in server.crt
Cert Installation
Some systems such as security appliances (load balancers, hardware SSL) will want your SSL Cert as a single file. The Coyote Point Equalizer likes this. You can combine your server.key and server.crt files into a single file simply by concatenating them together. They are plain text files.
cat server.key server.crt > server.pem
This also works on Apache2.
Cert check validity
You can verify that the PEM file is valid and that the CRT and KEY agree:
openssl verify server.pem
Encrypt your server key
If you want to require a password to start your web server then encrypt the key. This assumes that your key is not already encrypted. This will overwrite your key.
openssl rsa -des3 -in server.key -out server.key
Unencrypt your server key
You can remove the encryption from a server key. You may do this if you want to change the password. Just remove the old encryption then encrypt it again. To unencrypt:
openssl rsa -in server.key -out server.key