Difference between revisions of "CSR Apache"

From Noah.org
Jump to navigationJump to search
(How to generate a CSR and self-signed certificate.)
 
 
(56 intermediate revisions by the same user not shown)
Line 1: Line 1:
From the
+
[[Category:Engineering]]
[http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real|modssl FAQ]
+
[[Category:SSL]]
  
There are two acceptable types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates. Prior to generating the certificate, decide which is best for your environment.
+
== Certificate Signing Request Overview ==
  
For more information on OpenSSL, go to:
+
There are two types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates (Snakeoil certs). Neither one is cryptographically stronger than the other. In other words, a snakeoil cert is <b>not</b> less secure or easier to break. A CA Signed certificate is simply an assurance by a neutral third party that you are who you say you are. This makes it difficult for someone else to impersonate your site. A self-signed cert means that no one is vouching for your identity. A browser will always display a warning to the user when connecting to your site. There is no way to get rid of this warning.
  
    http://www.openssl.org
+
If you are simply want to secure your own private web server then a self-signed Snakeoil cert is fine. The link will be secure from spying.
  
Creating a Private Key
+
There are two types of CA Signed Certificates. There are certs signed by Root CAs and certs signed by Intermediate CAs. A Root CA is implicitly trusted by most browsers (the browser comes preloaded with a list of trusted CA information). These Root CA signed certs are "better" and cost more. These are signed certs that you get from Thawte and Verisign. In Intermediate CA signed certificate is cheaper and signed by a less well-known company, but it is still backed by a Root CA. Your browser has to make two trips to verify your certificate. It first has to go to the Intermediate CA to get their certificate which is in turn signed by a Root CA. Your browser then goes to a Root CA to verify the certificate of the Intermediate CA. Intermediate CAs include companies like DigiCert and Go Daddy. Intermediate CA certs are sometimes called "chained root certificates".
  
Follow these steps to create a private key:
+
For more information see:
  
  1. Log in as root.
+
    [http://httpd.apache.org/docs/2.0/ssl/ Apache2 SSL]
  2.Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
+
    [http://www.openssl.org OpenSSL]
  
          /usr/local/openssl096g/bin
+
== Brief Examples ==
  
  3. Enter the following command:
+
These examples assume that you have done this before -- this is just a refresher:
  
          openssl genrsa -out server.key -rand file1:file2:...:fileN 1024
+
=== One step snake-oil self-signed certificate ===
  
      where file1 through fileN are files containing random data, such as a large log, or other dynamic files (e.g., /var/adm/messages.0). The number of files to be used containing random data is optional, but at least one must be specified.
+
This one-liner makes both a key and a certificate.
 +
<pre>
 +
openssl req -x509 -batch -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.crt
 +
</pre>
  
  4. A private key is created and written to the file server.key.
+
=== View Contents of important certificate files (CSR, CRT, and KEY) ===
  5. Based on the type of certificate to be generated, refer to the appropriate instructions:
 
  
              *
+
<pre>
 +
openssl req -noout -text -in server.csr
 +
openssl x509 -noout -text -in server.crt
 +
openssl rsa -noout -text -in server.key
 +
</pre>
  
                Generating a CA-signed Certificate
+
=== Generate Private Key ===
              *
 
  
                Generating a Self-signed Certificate
+
<pre>
 +
openssl genrsa -out server.key 2048
 +
</pre>
  
Generating a CA-Signed Certificate
+
=== Generate CSR ===
  
Follow these steps to generate a Certificate Signing Request (CSR) and obtain a CA-signed certificate:
+
<pre>
 +
openssl req -new -key server.key -out request.csr -sha256
 +
</pre>
  
  1. Log in as root.
+
=== Generate Self-Signed Certificate (no CSR) ===
  2. Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
 
  
          /usr/local/openssl096g/bin
+
<pre>
 +
openssl req -x509 -new -days 3650 -key server.key -out server.crt
 +
</pre>
  
  3. Enter the following command:
+
=== Generate a PEM file ===
  
          openssl req -new -key server.key -out server.csr
+
<pre>
 +
cat server.key server.crt > server.pem
 +
</pre>
  
  4. The following message and series of attributes appear. Be sure to remember all attribute values specified.
+
== Generate a private server key ==
  
Using configuration from
+
Keep your server key private. You may also encrypt the server key, but then you will have to enter your key password every time you start your web server.
/usr/local/openssl096g/ssl/openssl.cnf
 
You are about to be asked to enter information that
 
will be incorporated into your certificate request.
 
What you are about to enter is what is called a
 
Distinguished Name or a DN. There are quite a few
 
fields but you can leave some blank. For some fields
 
there will be a default value.
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:
 
State or Province Name (full name) [Some-State]:
 
Locality Name (eg, city) []:
 
Organization Name (eg, company) [Internet Widgits Pty  Ltd]:
 
Organizational Unit Name (eg, section) []:
 
Common Name (eg, YOUR name) []:
 
Email Address []:
 
Please enter the following 'extra' attributes
 
to be sent with your certificate request
 
A challenge password []:
 
An optional company name []:
 
  
      The certificate is generated and stored in the file server.crt.
+
<pre>
  5. OPTIONAL -- Encrypt the key to prevent the key from being compromised. This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots.
+
openssl genrsa -out server.key 2048
 +
</pre>
  
      To encrypt the key, run the following command and type a pass phrase when prompted:
+
Make sure that no one can read your private server.key.
  
          openssl rsa -des3 -in server.key -out server.key.crypt
+
<pre>
 +
chmod 400 server.key
 +
</pre>
  
read RSA key
+
=== OPTIONAL -- Encrypt the server key ===
writing RSA key
 
Enter PEM pass phrase:
 
Verifying password - Enter PEM pass phrase:
 
  
  6. Enter the following command:
+
This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots. I almost never do this.
  
          mv server.key.crypt server.key
+
<pre>
 +
openssl rsa -des3 -in server.key -out server.key
 +
</pre>
  
  7. Submit the CSR to the chosen CA. The CA will provide instructions on how to submit the CSR. Once the CSR is processed, the CA will return a signed certificate.
+
=== View contents of a private server key ===
  
  8. Store the CA-signed certificate in the file server.crt.
+
<pre>
 +
openssl rsa -noout -text -in server.key
 +
</pre>
  
  9. Relocate the files by entering the following commands:
+
== Generate a CA-signed certificate ==
  
          mkdir TNHOME/etc/httpd/conf/ssl.crt
+
A Certificate Authority such as Thawte or Verisign verifies certificates. You have to subscribe to this service. It does not improve the crypto security. A CA merely lets your customers know that you are who you say you are.
  
          mkdir TNHOME/etc/httpd/conf/ssl.key
+
First you have to generate a Certificate Signing Request (CSR) to give to a CA to obtain a CA-signed certificate:
  
          chown root server.crt server.key
+
=== Generate a Certificate Signing Request (CSR) ===
  
          chmod 444 server.crt
+
To get a signed certificate you need to request one by generating a Certificate Signing Request. Enter the following command:
  
          chmod 400 server.key
+
<pre>
 +
openssl req -new -key server.key -out server.csr
 +
</pre>
  
          mv server.crt TNHOME/etc/httpd/conf/ssl.crt
+
You will be presented with a form to fill out. It's pretty simple. <i>Just make sure that when you are asked for your "Common Name" that you enter your Fully Qualified Domain Name (FQDN) and that it exactly matches the domain name of your server. That includes the www in www.example.com.</i> For example:
  
          mv server.key TNHOME/etc/httpd/conf/ssl.key
+
<pre>
 +
Common Name (eg, YOUR name) []: www.example.com
 +
</pre>
  
  10. Restart the HTTP server:
+
The certificate is generated and stored in the file server.crt.
      Apache2:
 
          apachectl start
 
      Apache1:
 
          apachectl startssl
 
  
  11. Enter the pass phrase (if the key is encrypted).
+
=== View contents of a CSR ===
  
Generating a Self-Signed Certificate
+
<pre>
 +
openssl req -noout -text -in server.csr
 +
</pre>
  
Follow these steps to generate a self-signed certificate:
+
=== Submit the CSR to your Certificate Authority ===
  
  1.
+
The CA will provide instructions on how to submit the CSR. Usually you have to paste it into a form on a web page. Once the CSR is processed, the CA will mail you a signed certificate.
  
      Log in as root.
+
=== Receive your certificate from your CA ===
  2.
 
  
      Be sure the openssl program is accessible via the environment path. The openssl program is located in the following directory:
+
The CA will usually email you back a link to download your new certificate Store the CA-signed certificate in the file server.crt.
  
          /usr/local/openssl096g/bin
+
Make sure that everyone can read you server.crt:
  
  3.
+
<pre>
 +
chmod 444 server.crt
 +
</pre>
  
      Enter the following command:
+
== View fingerprint of a cert ==
  
          openssl req -x509 -new -key server.key -out server.crt
+
Viewing the fingerprint of a cert is useful when you want to quickly compare a server certificate with a certificate stored in Mozilla Firefox. This may come up if you want to ensure that a new certificate is being served correctly or to debug certificate substitution issues behind a load balanacer proxy. The Firefox '''Certificate Manager''' shows '''SHA1''' and '''MD5''' fingerprints in the general view of a stored certificate. You could switch to the '''Details''' view and compared the '''Certificate Signature Value''' with the server's cert, but this requires more navigation in the GUI. The following will show you the '''SHA1''' fingerprint of a certificate on the server. You can compare this to the one shown in Firefox.
 +
<pre>
 +
openssl x509 -noout -sha1 -fingerprint -in server.crt
 +
</pre>
  
  4.
+
== Generate a Self-Signed Certificate (Snakeoil) ==
  
      The following message and series of attributes appear. Be sure to remember all attribute values specified.
+
You can skip the CSR step and directly generate your own CRT file. This is sometimes known as a Snakeoil certificate, because it is not signed by a trusted third party such as Thawte or Verisign. This is useful for testing or for small, personal web sites. The encryption is just as good, but your browser will popup a warning because it cannot vouch for the fact that you are who you say you are. The "-days 3650" option sets the certificate to expire in 10 years (a 100 year expiration won't work).
  
You are about to be asked to enter information that
+
This is the fastest way to make a cert. This will generate both a server key and a certificate with dummy values:
will be incorporated into your certificate request.
 
What you are about to enter is what is called a  
 
Distinguished Name or a DN. There are quite a few
 
fields but you can leave some blank. For some fields
 
there will be a default value.
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:
 
State or Province Name (full name) [Some-State]:
 
Locality Name (eg, city) []:
 
Organization Name (eg, company) [Internet Widgits \
 
Pty Ltd]:
 
Organizational Unit Name (eg, section) []:
 
Common Name (eg, YOUR name) []:
 
Email Address []:
 
  
      The certificate is generated and stored in the file server.crt.
+
<pre>
  5.
+
openssl req -x509 -batch -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.crt
 +
</pre>
  
      Encrypt the key to prevent the key from being compromised.
+
Use this command if you already have a server key:
  
          Note: This step is optional. Encrypting the key enhances key security. Once the key is encrypted, any program that needs to access the key will require a user-provided pass phrase. For secure mode operations, this pass phrase is required each time the server starts.
+
<pre>
 +
openssl req -x509 -new -days 3650 -key server.key -out server.crt
 +
</pre>
  
      To encrypt the key, run the following command and type a pass phrase when prompted:
+
=== View contents of a CRT ===
  
          openssl rsa -des3 -in server.key -out server.key.crypt
+
<pre>
 +
openssl x509 -noout -text -in server.crt
 +
</pre>
  
read RSA key
+
=== Snake Oil cert script ===
writing RSA key
 
Enter PEM pass phrase:
 
Verifying password - Enter PEM pass phrase:
 
  
  6.
+
''' This is old and broken. Do not use this.'''
  
      Enter the following command:
+
You can't easily get `openssl` to take all certificate parameters from the command-line. It wants to read from stdin or from a config file.
 +
<pre>
 +
#!/usr/bin/env python
 +
config = """
 +
[req]
 +
prompt = no
 +
distinguished_name = distinguished_name
 +
[ distinguished_name ]
 +
C                      = US
 +
ST                    = California
 +
L                      = San Francisco
 +
O                      = %(cn)s
 +
OU                    = Engineering
 +
CN                    = %(cn)s
 +
emailAddress          = postmaster@%(dn)s
 +
"""
  
          mv server.key.crypt server.key
+
import os,sys
 +
from pexpect import run
 +
dn = sys.argv[1]
 +
cn = 'www.' + dn
 +
fout = file(cn+'.config','w')
 +
fout.write (config % locals())
 +
fout.close()
 +
run ('openssl genrsa -out %(cn)s.key 2048'%locals())
 +
run ('openssl req -new -days 3650 -config %(cn)s.config -key %(cn)s.key -out %(cn)s.csr'%locals())
 +
</pre>
  
  7.
+
== Cert Installation ==
  
      Relocate the files by entering the following commands:
+
Some systems such as security appliances (load balancers, hardware SSL) will want your SSL Cert as a single file. The Coyote Point Equalizer likes this. You can combine your server.key and server.crt files into a single file simply by concatenating them together. They are plain text files.
  
          mkdir TNHOME/etc/httpd/conf/ssl.crt
+
<pre>
 +
cat server.key server.crt > server.pem
 +
</pre>
  
          mkdir TNHOME/etc/httpd/conf/ssl.key
+
This also works on Apache2.
  
          chown root server.crt server.key
+
== Verify Server Certificate matches Server Key ==
  
          chmod 444 server.crt
+
You can verify that a PEM file is valid and that the CRT and KEY agree. This assumes that server.pem is a PEM format file with the Intermediate CA Cert, Server Cert, and Server Key all concatenated together. The following command verifies a PEM file:
  
          chmod 400 server.key
+
<pre>
 +
openssl verify server.pem
 +
</pre>
  
          mv server.crt TNHOME/etc/httpd/conf/ssl.crt
+
=== Verify Intermediate Certification Authorities certificate bundle ===
  
          mv server.key TNHOME/etc/httpd/conf/ssl.key
+
You need to add the -CAfile option if you are using a budget certificate. In this case you should have also received an Intermediate CA Cert along with your Server Cert. You don't need this option if your Server Cert is verified against a Root Certificate Authority.
  
  8.
+
<pre>
 +
openssl verify -CAfile server.pem server.pem
 +
</pre>
  
      Restart the HTTP server by entering the following:
+
== Encrypt your server key ==
  
          cd /TNHOME/usr/sbin
+
If you want to require a password to start your web server then you must encrypt the key. This assumes that your key is not already encrypted. This will overwrite your key. To encrypt use this command:
  
          ./tnfwshut
+
<pre>
 +
openssl rsa -des3 -in server.key -out server.key
 +
</pre>
  
          ./tnfwstart
+
== Unencrypt your server key ==
  
  9.
+
You can remove the encryption from a server key. You may do this if you want to change the password. Just remove the old encryption then encrypt it again. To use this command unencrypt:
  
      Enter the pass phrase (if the key is encrypted).
+
<pre>
  10.
+
openssl rsa -in server.key -out server.key
 +
</pre>
  
      Go to section 2.2 Configuring SSL Support for Secure Framework Sessions of the TAS Administration Manual to complete SSL configuration.
+
== How to configure Apache2 with Intermediate CA Certificates ==
 +
 
 +
Use these instructions if you are using an SSL Certificate with an intermediate certificate authority (a third-party CA signed certificate). The following lines will usually be in a <VirtualHost> section in httpd.conf or included from a line such as 'Include conf/extra/httpd-ssl.conf' in httpd.conf. The important thing to set is the SSLCACertificateFile line. If you are using a PEM format you can set SSLCertificateFile and SSLCACertificateFile to point to the same file. PEM format is just a text file where keys and certificates are concatenated together in a human-readable Base64-encoded text file. The PEM name originated from Privacy Enhanced Mail, but don't let that throw you -- nobody uses Privacy Enhanced Mail these days. You could also have the server Key, server Cert, and CA Cert in separate files.
 +
 
 +
<pre>
 +
    SSLCertificateKeyFile /var/www/usr/local/apache2/certs/www.example.com/server.pem
 +
    SSLCertificateFile /var/www/usr/local/apache2/certs/www.example.com/server.pem
 +
    SSLCACertificateFile /var/www/usr/local/apache2/certs/www.example.com/server.pem
 +
</pre>
 +
 
 +
== Enable SSL in Ubuntu ==
 +
 
 +
<pre>
 +
openssl genrsa -out server.key 2048
 +
openssl req -x509 -new -days 3650 -key server.key -out server.crt
 +
cat server.key server.crt > server.pem
 +
a2ensite default-ssl
 +
a2enmod
 +
# Set SSLCertificateFile and SSLCertificateKeyFile directives below:
 +
vim /etc/apache2/sites-available/default-ssl
 +
</pre>
 +
 
 +
== Certificate errors in the browser ==
 +
 
 +
If you installed a Verisign certificate on your server and it seems to work under Internet Explorer but not in Firefox or Safari then it's probably because you need to install an intermediate certificate. You may get a warning like this from the browser:
 +
 
 +
<pre>
 +
Website Certified by an Unknown Authority
 +
- Your browser does not recognize the Certificate Authority that issued the site's certificate.
 +
</pre>
 +
 
 +
It used to be that Verisign certs did not need an intermediate cert, but this is no longer the case. It's a simple matter to download Verisign's [http://www.verisign.com/support/verisign-intermediate-ca/index.html Intermediate CA Certificates]. You need to have some lines like the following in your Apache configuration (note the line with SSLCertificateChainFile):
 +
 
 +
<pre>
 +
SSLCertificateFile /var/www/conf/ssl/certs/www.example.com.crt
 +
SSLCertificateKeyFile /var/www/conf/ssl/certs/www.example.com.key
 +
SSLCertificateChainFile /var/www/conf/ssl/certs/verisign_intermediate_ca.crt
 +
</pre>
 +
 
 +
== error 20 at 0 depth lookup:unable to get local issuer certificate ==
 +
 
 +
You get this error when trying to use "openssl verify". It may be bad or it may be harmless. Here is the definition from the OpenSSL docs:
 +
 
 +
<pre>
 +
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
 +
</pre>
 +
    the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
 +
 
 +
== Error: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) ==
 +
 
 +
This happens when Apache is misconfigured. It is not using SSL on port 443. Basically, it's just server plaintext HTTP on port 443. You can verify this by removing the '''s''' from your '''https''' URL, and add ''':443''' just after the hostname. Then check that your browser can view normal HTTP trafic. If it can then port 443 is unencrypted. '''https://localhost/''' -->  '''http://localhost:443'''

Latest revision as of 12:58, 2 September 2015


Certificate Signing Request Overview

There are two types of SSL certificates: certificates signed by a Certificate Authority (CA) and self-signed certificates (Snakeoil certs). Neither one is cryptographically stronger than the other. In other words, a snakeoil cert is not less secure or easier to break. A CA Signed certificate is simply an assurance by a neutral third party that you are who you say you are. This makes it difficult for someone else to impersonate your site. A self-signed cert means that no one is vouching for your identity. A browser will always display a warning to the user when connecting to your site. There is no way to get rid of this warning.

If you are simply want to secure your own private web server then a self-signed Snakeoil cert is fine. The link will be secure from spying.

There are two types of CA Signed Certificates. There are certs signed by Root CAs and certs signed by Intermediate CAs. A Root CA is implicitly trusted by most browsers (the browser comes preloaded with a list of trusted CA information). These Root CA signed certs are "better" and cost more. These are signed certs that you get from Thawte and Verisign. In Intermediate CA signed certificate is cheaper and signed by a less well-known company, but it is still backed by a Root CA. Your browser has to make two trips to verify your certificate. It first has to go to the Intermediate CA to get their certificate which is in turn signed by a Root CA. Your browser then goes to a Root CA to verify the certificate of the Intermediate CA. Intermediate CAs include companies like DigiCert and Go Daddy. Intermediate CA certs are sometimes called "chained root certificates".

For more information see:

   Apache2 SSL
   OpenSSL

Brief Examples

These examples assume that you have done this before -- this is just a refresher:

One step snake-oil self-signed certificate

This one-liner makes both a key and a certificate.

openssl req -x509 -batch -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.crt

View Contents of important certificate files (CSR, CRT, and KEY)

openssl req -noout -text -in server.csr
openssl x509 -noout -text -in server.crt
openssl rsa -noout -text -in server.key

Generate Private Key

openssl genrsa -out server.key 2048

Generate CSR

openssl req -new -key server.key -out request.csr -sha256

Generate Self-Signed Certificate (no CSR)

openssl req -x509 -new -days 3650 -key server.key -out server.crt

Generate a PEM file

cat server.key server.crt > server.pem

Generate a private server key

Keep your server key private. You may also encrypt the server key, but then you will have to enter your key password every time you start your web server.

openssl genrsa -out server.key 2048

Make sure that no one can read your private server.key.

chmod 400 server.key

OPTIONAL -- Encrypt the server key

This will require that you enter your key password everytime you start your web server. This means that you cannot have the server start automatically when the machine boots. I almost never do this.

openssl rsa -des3 -in server.key -out server.key

View contents of a private server key

openssl rsa -noout -text -in server.key

Generate a CA-signed certificate

A Certificate Authority such as Thawte or Verisign verifies certificates. You have to subscribe to this service. It does not improve the crypto security. A CA merely lets your customers know that you are who you say you are.

First you have to generate a Certificate Signing Request (CSR) to give to a CA to obtain a CA-signed certificate:

Generate a Certificate Signing Request (CSR)

To get a signed certificate you need to request one by generating a Certificate Signing Request. Enter the following command:

openssl req -new -key server.key -out server.csr

You will be presented with a form to fill out. It's pretty simple. Just make sure that when you are asked for your "Common Name" that you enter your Fully Qualified Domain Name (FQDN) and that it exactly matches the domain name of your server. That includes the www in www.example.com. For example:

Common Name (eg, YOUR name) []: www.example.com

The certificate is generated and stored in the file server.crt.

View contents of a CSR

openssl req -noout -text -in server.csr

Submit the CSR to your Certificate Authority

The CA will provide instructions on how to submit the CSR. Usually you have to paste it into a form on a web page. Once the CSR is processed, the CA will mail you a signed certificate.

Receive your certificate from your CA

The CA will usually email you back a link to download your new certificate Store the CA-signed certificate in the file server.crt.

Make sure that everyone can read you server.crt:

chmod 444 server.crt

View fingerprint of a cert

Viewing the fingerprint of a cert is useful when you want to quickly compare a server certificate with a certificate stored in Mozilla Firefox. This may come up if you want to ensure that a new certificate is being served correctly or to debug certificate substitution issues behind a load balanacer proxy. The Firefox Certificate Manager shows SHA1 and MD5 fingerprints in the general view of a stored certificate. You could switch to the Details view and compared the Certificate Signature Value with the server's cert, but this requires more navigation in the GUI. The following will show you the SHA1 fingerprint of a certificate on the server. You can compare this to the one shown in Firefox.

openssl x509 -noout -sha1 -fingerprint -in server.crt

Generate a Self-Signed Certificate (Snakeoil)

You can skip the CSR step and directly generate your own CRT file. This is sometimes known as a Snakeoil certificate, because it is not signed by a trusted third party such as Thawte or Verisign. This is useful for testing or for small, personal web sites. The encryption is just as good, but your browser will popup a warning because it cannot vouch for the fact that you are who you say you are. The "-days 3650" option sets the certificate to expire in 10 years (a 100 year expiration won't work).

This is the fastest way to make a cert. This will generate both a server key and a certificate with dummy values:

openssl req -x509 -batch -newkey rsa:2048 -days 3650 -nodes -keyout server.key -out server.crt

Use this command if you already have a server key:

openssl req -x509 -new -days 3650 -key server.key -out server.crt

View contents of a CRT

openssl x509 -noout -text -in server.crt

Snake Oil cert script

This is old and broken. Do not use this.

You can't easily get `openssl` to take all certificate parameters from the command-line. It wants to read from stdin or from a config file.

#!/usr/bin/env python
config = """
[req]
prompt = no
distinguished_name = distinguished_name
[ distinguished_name ]
C                      = US
ST                     = California
L                      = San Francisco
O                      = %(cn)s
OU                     = Engineering
CN                     = %(cn)s
emailAddress           = postmaster@%(dn)s
"""

import os,sys
from pexpect import run
dn = sys.argv[1]
cn = 'www.' + dn
fout = file(cn+'.config','w')
fout.write (config % locals())
fout.close()
run ('openssl genrsa -out %(cn)s.key 2048'%locals())
run ('openssl req -new -days 3650 -config %(cn)s.config -key %(cn)s.key -out %(cn)s.csr'%locals())

Cert Installation

Some systems such as security appliances (load balancers, hardware SSL) will want your SSL Cert as a single file. The Coyote Point Equalizer likes this. You can combine your server.key and server.crt files into a single file simply by concatenating them together. They are plain text files.

cat server.key server.crt > server.pem

This also works on Apache2.

Verify Server Certificate matches Server Key

You can verify that a PEM file is valid and that the CRT and KEY agree. This assumes that server.pem is a PEM format file with the Intermediate CA Cert, Server Cert, and Server Key all concatenated together. The following command verifies a PEM file:

openssl verify server.pem

Verify Intermediate Certification Authorities certificate bundle

You need to add the -CAfile option if you are using a budget certificate. In this case you should have also received an Intermediate CA Cert along with your Server Cert. You don't need this option if your Server Cert is verified against a Root Certificate Authority.

openssl verify -CAfile server.pem server.pem 

Encrypt your server key

If you want to require a password to start your web server then you must encrypt the key. This assumes that your key is not already encrypted. This will overwrite your key. To encrypt use this command:

openssl rsa -des3 -in server.key -out server.key

Unencrypt your server key

You can remove the encryption from a server key. You may do this if you want to change the password. Just remove the old encryption then encrypt it again. To use this command unencrypt:

openssl rsa -in server.key -out server.key

How to configure Apache2 with Intermediate CA Certificates

Use these instructions if you are using an SSL Certificate with an intermediate certificate authority (a third-party CA signed certificate). The following lines will usually be in a <VirtualHost> section in httpd.conf or included from a line such as 'Include conf/extra/httpd-ssl.conf' in httpd.conf. The important thing to set is the SSLCACertificateFile line. If you are using a PEM format you can set SSLCertificateFile and SSLCACertificateFile to point to the same file. PEM format is just a text file where keys and certificates are concatenated together in a human-readable Base64-encoded text file. The PEM name originated from Privacy Enhanced Mail, but don't let that throw you -- nobody uses Privacy Enhanced Mail these days. You could also have the server Key, server Cert, and CA Cert in separate files.

    SSLCertificateKeyFile /var/www/usr/local/apache2/certs/www.example.com/server.pem
    SSLCertificateFile /var/www/usr/local/apache2/certs/www.example.com/server.pem
    SSLCACertificateFile /var/www/usr/local/apache2/certs/www.example.com/server.pem

Enable SSL in Ubuntu

openssl genrsa -out server.key 2048
openssl req -x509 -new -days 3650 -key server.key -out server.crt
cat server.key server.crt > server.pem
a2ensite default-ssl
a2enmod 
# Set SSLCertificateFile and SSLCertificateKeyFile directives below:
vim /etc/apache2/sites-available/default-ssl

Certificate errors in the browser

If you installed a Verisign certificate on your server and it seems to work under Internet Explorer but not in Firefox or Safari then it's probably because you need to install an intermediate certificate. You may get a warning like this from the browser:

Website Certified by an Unknown Authority
- Your browser does not recognize the Certificate Authority that issued the site's certificate.

It used to be that Verisign certs did not need an intermediate cert, but this is no longer the case. It's a simple matter to download Verisign's Intermediate CA Certificates. You need to have some lines like the following in your Apache configuration (note the line with SSLCertificateChainFile):

SSLCertificateFile /var/www/conf/ssl/certs/www.example.com.crt
SSLCertificateKeyFile /var/www/conf/ssl/certs/www.example.com.key
SSLCertificateChainFile /var/www/conf/ssl/certs/verisign_intermediate_ca.crt

error 20 at 0 depth lookup:unable to get local issuer certificate

You get this error when trying to use "openssl verify". It may be bad or it may be harmless. Here is the definition from the OpenSSL docs:

20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate 
   the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

Error: SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)

This happens when Apache is misconfigured. It is not using SSL on port 443. Basically, it's just server plaintext HTTP on port 443. You can verify this by removing the s from your https URL, and add :443 just after the hostname. Then check that your browser can view normal HTTP trafic. If it can then port 443 is unencrypted. https://localhost/ --> http://localhost:443