Bob's Quick SSL Guide

Generating a Secure Server Certificate  11/27/05

For those of you running Apache with Mod-SSL (any of the Linux-Mandrake distributions, as well as Red Hat), here's the quick way to generate a CSR certificate to send out.  In these examples, substitute domain.com with your domain name.

Type in: openssl genrsa -des3 -out domain.com.key-des 1024

This generates the key. You will be prompted for a pass-phrase; use something you will remember. We used to be able to not have to mess with the passphrase, but some registrars are now requiring it.   Now, we make a key file WITHOUT the passphrase, so that Apache won't ask us every time it starts:

Type in: openssl rsa -in domain.com.key-des -out domain.com.key

Now, we can make our Certificate Request CSR file!
Type in: openssl req -new -key domain.com.key-des -out domain.com.csr

This is the file you need to send to Thawte, GeoTrust, etc... 

This sucker is going to ask you for the passphrase, and a bunch of questions, and you CANNOT use the backspace to correct a typo!  So if you mess up, press Control C, and try again.  Here is an example for what to enter in:

Country Name (2 letter code): US  

State or Province Name (full name): New York

Locality Name (eg, city): Rochester

Organization Name (eg, company): Big Pizza Company

Organizational Unit Name (eg, section): Online Sales

Common Name: www.domain.com

Email Address: me@mydomain.com

A challenge password:  <just leave blank, hit RETURN>

An optional company name: <just leave blank, hit RETURN>

That's it.  Since it's text, we can easily email this to ourself:

Type in: cat domain.com.csr | mail me@mydomain.com

Now, you can also generate your own unsigned certificate by doing this:

Type in: openssl x509 -req -days 30 -in domain.com.csr -signkey domain.com.key -out domain.com.crt

Remember, the .crt key is the magic file that you need to make SSL work.  This is what your certificate company is going to be sending you.

Installing the Certificate

To make Apache pick up on this certificate, you need to add this to your httpd configuration file, which will be one of three files: commonhttpd.conf (Mandrake's choice), httpd2.conf (for Apache 2), or httpd.conf (original Apache).  These will be in /etc/httpd/conf.  I also recommend moving your certificate files into this same directory.

Here's an example of what need to go in the file:

<VirtualHost 24.1.2.3:443>   (Place your webserver's IP here)
DocumentRoot /home/your_webserver_root
ServerName www.domain.com (or whatever you used for the "common name")
ServerAdmin me@mydomain.com  (your email addr)
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCertificateFile conf/domain.com.crt
SSLCertificateKeyFile conf/domain.com.key
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<IfModule mod_setenvif.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
</VirtualHost>

It is possible that there is an include in your apache configuration file to another SSL config file, so if it doesn't work, look for that.

Also, remember that you can only have one SSL certificate per IP address!