In order to get a valid SSL certificate, you will need to generate a CSR that a certificate signing authority (such as Verisign or Thawte) will request. You have to determine the URL for the secured web site - this should be a Fully Qualified Domain Name (FQDN), i.e. if you want to access your secured website through https://www.virtualhost.com/, then the FQDN of your website is www.virtualhost.com
Select a few large and relatively random files on your server - compressed log files are a good start. These will act as your random seed enhancers. We refer to these as file1:file2:…:file5 below. Generate a key with the following command:
$ openssl genrsa -des3 -out www.virtualhost.com.key 1024
This will generate an 1024 bit RSA Private Key and store it in the www.virtualhost.com.key file. This command will also ask you for a pass phrase. Use something secure and remember it - you will need this pass phrase below. You will not be able to use the key or the certificate without the proper pass phrase.
Generate the CSR with the following command:
$ openssl req -new -key www.virtualhost.com.key \
-out www.virtualhost.com.csr
This command will generated a CSR and store it in the www.virtualhost.com.csr file. This command will also prompt you for the X.509 attributes of your certificate. Remember to give the name FQDN when prompted for Common Name. The CSR should look something like this:
—–BEGIN CERTIFICATE REQUEST—–
MIIDRzCCArCgAwIBAgIDH/IaMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDA0
MzAyMjUwMzNaFw0wNTA1MTUwOTIxNTFaMGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpOZXcgSmVyc2V5MRMwEQYDVQQHEwpIYWNrZW5zYWNrMRcwFQYDVQQKEw5TdXJm
WHByZXNzIExMQzEYMBYGA1UEAxMPd3d3LnN
—–END CERTIFICATE REQUEST—–
You can submit this CSR to any certificate signing authority.
Installation
When you receive your SSL certificate from the certificate signing authority, name it www.virtualhost.com.crt and store it in /home/www.virtualhost.com/ssl. Then, you need to insert the following in the Appache configuration file at /etc/httpd/httpd.conf: (you need to become root to edit this file)
<VirtualHost xxx.xxx.xxx.xxx:443>
DocumentRoot /path/to/website
SSLEngine on
SSLCertificateFile /path/to/www.virtualdomain.com.crt
SSLCertificateKeyFile /path/to/www.virtualdomain.com.de.key
</VirtualHost>
Where xxx.xxx.xxx.xxx is the IP address of the web site.
In order to avoid having to supply the pass phrase everytime the web server restarts, do this:
$ openssl rsa -in www.virtualdomain.com.key \
-out www.virtualdomain.com.de.key
Lastly, restart the web server by:
# /etc/init.d/httpd stop
# /etc/init.d/httpd start
Recent Comments