CSR Apache

From Noah.org
Revision as of 15:27, 20 July 2006 by Root (Talk | contribs) (How to generate a CSR and self-signed certificate.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

From the FAQ

There are two acceptable types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates. Prior to generating the certificate, decide which is best for your environment.

For more information on OpenSSL, go to:

   http://www.openssl.org

Creating a Private Key

Follow these steps to create a private key:

  1. Log in as root.
  2.Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
         /usr/local/openssl096g/bin
  3. Enter the following command:
         openssl genrsa -out server.key -rand file1:file2:...:fileN 1024
     where file1 through fileN are files containing random data, such as a large log, or other dynamic files (e.g., /var/adm/messages.0). The number of files to be used containing random data is optional, but at least one must be specified.
  4. A private key is created and written to the file server.key.
  5. Based on the type of certificate to be generated, refer to the appropriate instructions:
             *
               Generating a CA-signed Certificate
             *
               Generating a Self-signed Certificate

Generating a CA-Signed Certificate

Follow these steps to generate a Certificate Signing Request (CSR) and obtain a CA-signed certificate:

  1. Log in as root.
  2. Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
         /usr/local/openssl096g/bin
  3. Enter the following command:
         openssl req -new -key server.key -out server.csr
  4. The following message and series of attributes appear. Be sure to remember all attribute values specified.

Using configuration from /usr/local/openssl096g/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

     The certificate is generated and stored in the file server.crt.
  5. OPTIONAL -- Encrypt the key to prevent the key from being compromised. This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots.
     To encrypt the key, run the following command and type a pass phrase when prompted:
         openssl rsa -des3 -in server.key -out server.key.crypt

read RSA key writing RSA key Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

  6. Enter the following command:
         mv server.key.crypt server.key
  7. Submit the CSR to the chosen CA. The CA will provide instructions on how to submit the CSR. Once the CSR is processed, the CA will return a signed certificate.
  8. Store the CA-signed certificate in the file server.crt.
  9. Relocate the files by entering the following commands:
         mkdir TNHOME/etc/httpd/conf/ssl.crt
         mkdir TNHOME/etc/httpd/conf/ssl.key
         chown root server.crt server.key
         chmod 444 server.crt
         chmod 400 server.key
         mv server.crt TNHOME/etc/httpd/conf/ssl.crt
         mv server.key TNHOME/etc/httpd/conf/ssl.key
 10. Restart the HTTP server:
     Apache2:
         apachectl start
     Apache1:
         apachectl startssl
 11. Enter the pass phrase (if the key is encrypted).

Generating a Self-Signed Certificate

Follow these steps to generate a self-signed certificate:

  1.
     Log in as root.
  2.
     Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
         /usr/local/openssl096g/bin
  3.
     Enter the following command:
         openssl req -x509 -new -key server.key -out server.crt
  4.
     The following message and series of attributes appear. Be sure to remember all attribute values specified.

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank.


Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits \ Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []:

     The certificate is generated and stored in the file server.crt.
  5.
     Encrypt the key to prevent the key from being compromised.
         Note: This step is optional. Encrypting the key enhances key security. Once the key is encrypted, any program that needs to access the key will require a user-provided pass phrase. For secure mode operations, this pass phrase is required each time the server starts.
     To encrypt the key, run the following command and type a pass phrase when prompted:
         openssl rsa -des3 -in server.key -out server.key.crypt

read RSA key writing RSA key Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:

  6.
     Enter the following command:
         mv server.key.crypt server.key
  7.
     Relocate the files by entering the following commands:
         mkdir TNHOME/etc/httpd/conf/ssl.crt
         mkdir TNHOME/etc/httpd/conf/ssl.key
         chown root server.crt server.key
         chmod 444 server.crt
         chmod 400 server.key
         mv server.crt TNHOME/etc/httpd/conf/ssl.crt
         mv server.key TNHOME/etc/httpd/conf/ssl.key
  8.
     Restart the HTTP server by entering the following:
         cd /TNHOME/usr/sbin
         ./tnfwshut
         ./tnfwstart
  9.
     Enter the pass phrase (if the key is encrypted).
 10.
     Go to section 2.2 Configuring SSL Support for Secure Framework Sessions of the TAS Administration Manual to complete SSL configuration.