Bob's Quick SSL Guide
Generating a Secure Server Certificate 11/27/05
For those of you running Apache with Mod-SSL (any of the Linux-Mandrake distributions, as well as Red Hat), here's the quick way to generate a CSR certificate to send out. In these examples, substitute domain.com with your domain name.
Type in: openssl genrsa -des3 -out domain.com.key-des 1024
This generates the key. You will be prompted for a pass-phrase; use something you will remember. We used to be able to not have to mess with the passphrase, but some registrars are now requiring it. Now, we make a key file WITHOUT the passphrase, so that Apache won't ask us every time it starts:
Type in: openssl rsa -in domain.com.key-des -out domain.com.key
Now, we can make our Certificate Request CSR file!
Type in: openssl req -new -key domain.com.key-des -out domain.com.csr
This is the file you need to send to Thawte, GeoTrust, etc...
This sucker is going to ask you for the passphrase, and a bunch of questions, and you CANNOT use the backspace to correct a typo! So if you mess up, press Control C, and try again. Here is an example for what to enter in:
That's it. Since it's text, we can easily email this to ourself:
Type in: cat domain.com.csr | mail email@example.com
Now, you can also generate your own unsigned certificate by doing this:
Type in: openssl x509 -req -days 30 -in domain.com.csr -signkey domain.com.key -out domain.com.crt
Remember, the .crt key is the magic file that you need to make SSL work. This is what your certificate company is going to be sending you.
Installing the Certificate
To make Apache pick up on this certificate, you need to add this to your httpd configuration file, which will be one of three files: commonhttpd.conf (Mandrake's choice), httpd2.conf (for Apache 2), or httpd.conf (original Apache). These will be in /etc/httpd/conf. I also recommend moving your certificate files into this same directory.
Here's an example of what need to go in the file:
<VirtualHost 126.96.36.199:443> (Place
your webserver's IP here)
ServerName www.domain.com (or whatever you used for the "common name")
ServerAdmin firstname.lastname@example.org (your email addr)
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
It is possible that there is an include in your apache configuration file to another SSL config file, so if it doesn't work, look for that.
Also, remember that you can only have one SSL certificate per IP address!