Welcome to the AnaBlog for Mr. Duck!

Get root! (Return to http://AnalogDuck.com.) Go home! Login or goto your account. Check out my downloads. Peep out my links. Hold conference in my forums. Find info in the F.A.Q.
   Search   
  Welcome to AnaBlogDuck
Sun, 05 Jan 2003 @ 13:42:01 
Login
Nickname

Password

Lost Password?

Don't have an account?
Register now!

Main Menu
Home
Contact Us
Downloads
    Submit
    Popular
    Top Rated
Event Calendar
    Add an event
Forum
    Most Recent
    Most Viewed
    Most Active
FAQ
Glossary
    Submit a definition
    Ask for a definition
Gui Stuff
Headlines
Members
News
    Submit
    Archive
    Topics
Web Links
    Submit
    Popular
    Top Rated
Partner Sites

Output Translation

Other Blogs

I will accept no credit for the misfortunes you may suffer by visiting these sites.

Apache : Creating OpenSSL / Apache mod_ssl self-signed certificates
Posted by cookie on 2002/11/24 0:48:59 (2 reads)

I found this great little walk-thru: http://www.mrzesty.net/index.html?frame=http://braindump.MrZesty.net/index.php

The original article quoted here:

OpenSSL Signed Certificates

Instructions to generate a self-signed certificate using OpenSSL for use with Apache mod_ssl:

Generate your server's private (encrypted) key:
$ /usr/local/ssl/bin/openssl genrsa -des3 -rand file1:file2:...:file5 -out server.key 1024
- or - If you feel your server is secure, and aren't worried about someone stealing your private key and trying to impersonate you, you can generate your key unencrypted:
$ openssl genrsa -rand file1:file2:...:file5 -out www.virtualhost.com.key 1024

Generate a Certificate Signing Request:
$ openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr
You can view the contents of the CSR:
$ openssl req -noout -text -in server.csr


You can create your own quick self-signed certificate using:
$ openssl x509 -req -days 1461 -in www.virtualhost.com.csr -signkey www.virtualhost.com.key -out www.virtualhost.com.crt

If you would like to sign your certificates as an unverified Certificate Authority and you don't already have your own Certificate Authority keys created then:
Run /usr/local/ssl/misc/CA.pl -newca
Run /usr/local/ssl/bin/openssl req -new -x509 -days 1825 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem


Sign your CSR with your CA keys:
$ /usr/local/ssl/bin/openssl ca -policy policy_anything -out signed_request.pem -infiles server.csr
If you want Apache to be able to start without asking you for the PEM Pass Phrase - unencrypt the server's private key (if you used the -des3 option in the first steps above):
$ /usr/local/ssl/bin/openssl rsa -in server.key -out server.unencrypted.key
then move the server.unencrypted.key over the server.key in the Apache directory, and start Apache

If you're going to use and unencrypted private key - you should make sure the file is readable only by root!
-r-------- root root server.key
$ /usr/local/apache/bin/apachectl startssl


Notes:
SSL does not support Name Virtual Hosts. You must have a uniqe port and IP address combination for each Certificate you want to use.
You can take the CSR from step 2 and send the contents to Verisign for signing, rather than signing the certificate yourself.

 

 
Related Links

· More about Apache
· News by cookie

Most read story about Apache
· How to disable short tags in the .htaccess file

Last news about Apache
· How to associate an icon (favicon.ico) with browser bookmarks for your web site

Printer Friendly Page  Send this Story to a Friend


Powered by frantic ducklings!   © 2002 AnalogDuck.com