Article by on April 16, 2012, last modified on August 1, 2012

Creating an SSL Certificate

1. Generate a Private Key

There are three ways to go about this: (1) generate a key with a passphrase, (2) generate a key with a passphrase and remove the passphrase later, (3) generate a key without a passphrase. More than likely you will want option 3. The reason you don't want a passphrase is when Apache restarts you will have to enter the SSL passphrase to decrypt the cert. That is especially problematic if you have a script that auto-restarts apache.

  1. Generate a key with a passphrase:
    $ openssl genrsa -des3 -out 2048
  2. Generate a key with a passphrase to remove later:
    $ openssl genrsa -des3 -out 2048

    Remove the passphrase:

    $ openssl rsa -in -out
  3. Generate a key without a passphrase:
    $ openssl genrsa -out 2048

You can generate a 1024 or a 2048 bit key, it's up to you.

2. Generate the CSR

Here you will generate a Certificate Signing Request (CSR). You will need to fill out all fields, but the last two are optional. The 'Organizational Unit' and 'Common Name' are the host name for the server, i.e.

$ openssl req -new -key -out
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Cincinnati
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. Get a Signed SSL Certificate

You will now take the contents of server.csr to your Certificate Authority (CA), such as DigiCert, and request a certificate. This may take a while. In some cases your CA is also your Registrar. If it is GoDaddy, you will have to click the blue refresh button or else your certificate will continue to show under 'Pending Requests'.

Tip: To self-sign a certificate do:

$ openssl x509 -req -days 365 -in -signkey -out
Signature ok
Getting Private key

4. Remove Passphrase from Cert (Optional)

If you chose option 1 in step 1 and need to remove the passphrase afterward. First, move the key you made to be '' so you know it has a password:

$ mv

Then use OpenSSL to decode the key:

$ openssl rsa -in -out
Enter pass phrase for (passphrase from Step 1)
writing RSA key

Tip: You can tell if a key is encrypted or not by opening the file. An encrypted key file will begin with something like:

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D80116B4E68040D8

A non-encrypted key file will begin with just:


5. Generate a PEM File

Now you need to combine the certificates. First, make sure you have all the files you need, you should have something like:

$ ls

I'm not really sure why you would need to do this, but you may need to:

$ cat >
$ cat >>
$ cat gd_bundle.crt >>

 6. Installation

You can only have one SSL certificate per IP address (unless you are using SNI). Assuming such, your Apache vhost may have the following in it:

        SSLEngine on
        SSLCertificateFile /etc/apache2/
        SSLCertificateKeyFile /etc/apache2/


You might be asking yourself: What do all of these file extensions mean? Well, here you go:

*.csr -- Certificate Signing Request used for submission to signing authorities that issue SSL certificates
*.crt -- Public key of a certificate (same as a *.pem file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.
*.pem -- Public key of a certificate (same as a *.crt file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.
*.key -- Private key of a certificate


How to Read a Certificate

$ openssl x509 -text -noout -in
        Version: 1 (0x0)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Ohio, L=Cincinnati, O=Myname, OU=X, CN=server.local/
            Not Before: Nov 10 22:21:42 2011 GMT
            Not After : Nov  9 22:21:42 2012 GMT
        Subject: C=US, ST=Ohio, L=Cincinnati, O=Joe, OU=X, CN=server.local/
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption

How to Create a Multi-Domain Certificate

I don't know yet, but here are some links:

How to Create a Wildcard Certificate

I don't know yet, but here are some links:


Older Articles »