SSLCertifcate Generate

How to generate a CSR and then a self-signed cert with Apache+mod_ssl

Version 1.0 06/04/04

These notes can be used for two purposes:

1. To create a CSR (Certificate Signing Request) to send to an entity such as Thawte to be signed. This would be to obtain a 'real' validated SSL certificate for a web site. You should always get a 'real' certificate when using SSL on public sites (such as on-line shops).

2. To create a SSC (Self Signed Certificate) to use on non-public access web sites (such as a secret Psand site or customer web admin site).

For the steps below, I normally create and store certificates in the directory /etc/apache-ssl/conf/certs/ on the servers.

Steps:

1. Generate a Key (1024 bit)

$ openssl genrsa -out www.virtualhost.com.key 1024

Note you can also password protect the key if you so wish (but see later on for how to remove the password) by doing:

$ openssl genrsa -des3 -out www.virtualhost.com.key 1024

2. Generate the CSR

$ openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr

Now you will be promopted for details for the certificate, remember that if you're getting a 'real' one signed by Thawte or Verisign etc, you MUST make sure that the name on the certificate MATCHES the name of the owner of the domain name as it is registered. Thawte for example requires the client to produce a certificate of incoporation if the owner is a company and insists that the names match.

Here's a guide on the fields:

• a. Country Name: (GB, ES, FR, US etc)
• b. State: (Kent, Barcelona, Texas etc)
• c. Locality: (Ramsgate, Barcelona, Austin etc)
• d. Organization: (Psand Limited, etc)
• e. Organization Unit: <leave blank normally>
• f. Common Name: <the web address> (i.e. www.virtualhost.com)
• g. Email Address: <something or leave blank> (i.e. support@psand.net)
• h. Challenge password: <leave blank>
• i. Optional company name: <leave blank>

The above is sufficient for passing a certificate to Thawte. You can visit the web site and paste the contents of the CSR in there to order your signed certificate. They will send you back a CRT file, which you should save as www.virtualhost.com.crt in the same location as the rest.

The next step explains how to create your own CRT instead of using Thawte's etc.

3. Creating a Self-Signed Certificate

$ openssl x509 -req -days 3660 -in www.virtualhost.com.csr -signkey www.virtualhost.com.key -out www.virtualhost.com.crt

Obviously you can choose how many days you'd like the certificate to last for, I've set it to 10 years above, but you may want less (or more). You can also use this method to generate a temporary certificate whilst you wait for Thawte to deliver the 'real' one.

Notes:

1. Be careful not to loose your key when buying a certificate from Thawte. If you do, you'll have to regerate it and go through the application process again, including paying Thawte their fee!

2. Don't do daft things like generating a temporary certificate over the top of the 'real' one you bought from Thawte!

3. Remember that a self-signed (temporary or not) certificate and a 'real' certifcate are actually exactly the same from a security point of view and a Psand certificate is just as good and secure as a Thawte one. The problem is though that Thawte is a recognised signing authority and Psand alas is not. Therefore a web browser will complain with a Psand certificate that Psand is not a recognised authority and therefore the certificate (or secure connexion) cannot be trusted - this is hogwash, but it's the way it is, and I suppose fair enough really as it's the kind of thing I like to know when making purchases over the Net. It comes as no surprise to learn that IE is especially critical of self-signed certificates.

4. In order to use this cert as a .pem file for apache, you must concatenate the key and crt files like so:

$ cat www.virtualhost.com.key www.virtualhost.com.crt > www.virtualhost.com.pem