I thought I might quickly throw up a small how-to on creating an SSL certificate. Any article you will find on my site that will walk you though any form on web platform (CMS, LMS, etc), I will always recommend that you use an SSL certificate on your website.
An SSL certificate consists of 3 parts. A private key, which is used to decrypt the actual certificate, the certificate itself, and in many cases you may also use a CSR (Certificate Signing Request).
The process of creating a certificate is as follows:
1. Create your private key
2. Create a Certificate Signing Request
3. Request an Official Certificate Authority to generate your certificate based on your CSR (Recommended), or you can create a self signed certificate.
The reason I recommend using an official certificate authority to sign your certificate is because your clients will need to trust the “Certificate Issuer”. If your user base is around 500 people for example, the last thing you want is having 500 people ringing you up to say “I don’t know what to do, it says it might be dangerous to trust this site”. Don’t forget that your CA won’t be listed as a trusted issuer by default.
My own advice here would be, use a real Certificate Authority. It will cost a bit of money, but it will help turn that frown upside down!.
So lets crack on with making your own certificate.
Start by creating your private key. In this situation, I’m going to make an SSL certificate for server01.example.com.
[root@server01 ~]# openssl genrsa -des3 -out server01.example.com.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ................................++++++ e is 65537 (0x10001) Enter pass phrase for server01.example.com.key: Verifying - Enter pass phrase for server01.example.com.key: [root@server01 ~]#
Next, use your private key to create a CSR
[root@server01 ~]# openssl req -new -key server01.example.com.key -out server01.example.com.csr Enter pass phrase for server01.example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:London Locality Name (eg, city) [Default City]:London Organization Name (eg, company) [Default Company Ltd]:Example Inc Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:server01.example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@server01 ~]#
At this point, you can then send your CSR ( server01.example.com.csr ) to your chosen Certificate Authority, e.g. VeriSign, to complete the Certificate generation process.
If you wish to pursue using a self signed certifcate, use the below step.
[root@server01 ~]# openssl x509 -req -days 365 -in server01.example.com.csr -signkey server01.example.com.key -out server01.example.com.crt Signature ok subject=/C=GB/ST=London/L=London/O=Example Inc/CN=server01.example.com/emailAddress=admin@example.com Getting Private key Enter pass phrase for server01.example.com.key: [root@server01 ~]#
If you don’t get any errors in the above steps, then you should now have a server01.example.com.crt file. You will need to use this in conjuction with your private key in order to set up an SSL service. E.g Apache
For those of you looking to use your newly created certificate with Apache, add the following lines to your virtual host definition in Apache.
SSLEngine on SSLCertificateFile /etc/httpd/server01.example.com.crt SSLCertificateKeyFile /etc/httpd/server01.example.com.key
At this stage, when Apache starts, you will be asked for the pass-phrase of your certificate.
E.g.
[root@server01 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server server01.example.com:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [ OK ] [root@server01 ~]#
In order to restore the non-interactive service start process, you will need to remove the pass-phrase from the private key. This obviously has security concerns associated with it, so you will need to change the permissions of your certificate so that it can only be read by root.
To remove the pass-phrase, do the following.
[root@server01 ~]# mv /etc/httpd/server01.example.com.key{,orig} [root@server01 ~]# openssl rsa -in /etc/httpd/server01.example.com.key.orig -out /etc/httpd/server01.example.com.key Enter pass phrase for /etc/httpd/server01.example.com.keyorig: writing RSA key [root@server01 ~]# chmod 700 /etc/httpd/server01.example.com.* [root@server01 ~]# chown root:root /et/etc/httpd/server01.example.com.* [root@server01 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@server01 ~]#
All done folks. As always, feel free to leave comments or contact me directly.