SSL
Article by on April 16, 2012, last modified on August 1, 2012
Creating an SSL Certificate
1. Generate a Private Key
There are three ways to go about this: (1) generate a key with a passphrase, (2) generate a key with a passphrase and remove the passphrase later, (3) generate a key without a passphrase. More than likely you will want option 3. The reason you don't want a passphrase is when Apache restarts you will have to enter the SSL passphrase to decrypt the cert. That is especially problematic if you have a script that auto-restarts apache.
- Generate a key with a passphrase:
$ openssl genrsa -des3 -out www.website.com.key 2048
- Generate a key with a passphrase to remove later:
$ openssl genrsa -des3 -out www.website.com.pass.key 2048
Remove the passphrase:
$ openssl rsa -in www.website.com.pass.key -out www.website.com.key
- Generate a key without a passphrase:
$ openssl genrsa -out www.website.com.key 2048
You can generate a 1024 or a 2048 bit key, it's up to you.
2. Generate the CSR
Here you will generate a Certificate Signing Request (CSR). You will need to fill out all fields, but the last two are optional. The 'Organizational Unit' and 'Common Name' are the host name for the server, i.e. fb.thesimplesynthesis.com.
$ openssl req -new -key www.website.com.key -out www.website.com.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Cincinnati Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:www.website.com Common Name (eg, YOUR name) []:www.website.com Email Address []:tech@website.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3. Get a Signed SSL Certificate
You will now take the contents of server.csr to your Certificate Authority (CA), such as DigiCert, and request a certificate. This may take a while. In some cases your CA is also your Registrar. If it is GoDaddy, you will have to click the blue refresh button or else your certificate will continue to show under 'Pending Requests'.
Tip: To self-sign a certificate do:
$ openssl x509 -req -days 365 -in www.website.com.csr -signkey www.website.com.key -out www.website.com.crt Signature ok subject=/C=US/ST=Ohio/L=Cincinnati/O=Zipscene/OU=www.website.com/CN=www.website.com/emailAddress=tech@website.com Getting Private key
4. Remove Passphrase from Cert (Optional)
If you chose option 1 in step 1 and need to remove the passphrase afterward. First, move the key you made to be 'www.website.com.pass.key' so you know it has a password:
$ mv www.website.com.key www.website.com.pass.key
Then use OpenSSL to decode the key:
$ openssl rsa -in www.website.com.pass.key -out www.website.com.key
Enter pass phrase for www.website.com.pass.key: (passphrase from Step 1)
writing RSA key
Tip: You can tell if a key is encrypted or not by opening the file. An encrypted key file will begin with something like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,D80116B4E68040D8A non-encrypted key file will begin with just:
-----BEGIN RSA PRIVATE KEY-----
5. Generate a PEM File
Now you need to combine the certificates. First, make sure you have all the files you need, you should have something like:
$ ls www.website.com.crt www.website.com.csr www.website.com.key www.website.com.pass.key www.website.com.pem www.website.com.zip gd_bundle.crt
I'm not really sure why you would need to do this, but you may need to:
$ cat www.website.com.key > www.website.com.pem $ cat www.website.com.crt >> www.website.com.pem $ cat gd_bundle.crt >> www.website.com.pem
6. Installation
You can only have one SSL certificate per IP address (unless you are using SNI). Assuming such, your Apache vhost may have the following in it:
SSLEngine on
SSLCertificateFile /etc/apache2/www.website.com.crt
SSLCertificateKeyFile /etc/apache2/www.website.com.key
Definitions
You might be asking yourself: What do all of these file extensions mean? Well, here you go:
*.csr -- Certificate Signing Request used for submission to signing authorities that issue SSL certificates
*.crt -- Public key of a certificate (same as a *.pem file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.
*.pem -- Public key of a certificate (same as a *.crt file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.
*.key -- Private key of a certificate
Other
How to Read a Certificate
$ openssl x509 -text -noout -in www.website.com.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
cd:94:4f:91:1d:41:3f:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Ohio, L=Cincinnati, O=Myname, OU=X, CN=server.local/emailAddress=email@myemail.com
Validity
Not Before: Nov 10 22:21:42 2011 GMT
Not After : Nov 9 22:21:42 2012 GMT
Subject: C=US, ST=Ohio, L=Cincinnati, O=Joe, OU=X, CN=server.local/emailAddress=email@myemail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bd:d1:a6:ee:11:8a:1c:58:1c:b8:70:c2:81:31:
de:ff:5b:45:3e:ca:a2:15:a4:ac:b0:40:46:1f:25:
ac:4f:3d:2e:be:16:e7:4d:7c:28:ab:3d:d5:3c:97:
a7:df:0e:fb:e0:2b:68:d8:f1:36:10:ea:f1:a2:17:
f6:ee:3d:58:92:6e:1a:04:6f:2c:cd:e9:38:04:8f:
02:9b:58:e0:38:b6:1c:7b:2b:a2:14:3a:b7:55:aa:
dd:ec:d7:28:44:bc:cc:47:23:a8:69:83:be:31:f2:
c5:db:8e:f1:b9:57:48:36:4a:0c:08:98:5f:0f:11:
4a:ab:08:5e:89:1d:27:3f:8b
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
3b:39:a4:e4:1c:1f:79:65:b2:dd:20:68:77:b1:91:06:7b:c2:
7f:5b:52:4f:5d:0f:63:8a:c4:9f:dc:a1:98:5b:98:d2:c9:96:
44:eb:42:cb:d4:01:e6:30:f7:35:3c:b2:97:f8:6c:da:d9:5d:
94:64:18:c2:94:79:74:0a:ad:d5:11:6a:25:33:1e:b3:84:55:
11:de:88:d3:d2:00:35:5d:0c:d8:a6:99:8e:92:62:b8:91:57:
76:71:65:2d:16:50:d5:16:e1:04:e3:c3:8f:e4:58:75:40:81:
31:74:35:f9:07:2c:d6:76:19:50:e6:aa:c0:02:76:35:46:b7:
18:eb
How to Create a Multi-Domain Certificate
I don't know yet, but here are some links:
http://quanterium.blogspot.com/2012/01/creating-self-signed-ssl-certificate.html
http://www.verynoisy.com/blog/2010/jan/25/create-self-signed-certificates-multiple-domains/
How to Create a Wildcard Certificate
I don't know yet, but here are some links:
http://www.justinsamuel.com/2006/03/11/howto-create-a-self-signed-wildcard-ssl-certificate/
http://frankkoehl.com/2012/02/create-self-signed-wildcard-ssl-certificate/
References
http://www.akadia.com/services/ssh_test_certificate.html
http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
http://superuser.com/a/74012
http://blog.matthodan.com/how-to-setup-heroku-hostname-ssl-with-godaddy
http://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html
http://www.bigboylemonade.com/how-to-create-a-ssl-certificate-without-a-password
http://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html
http://www.madboa.com/geek/openssl/
http://security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html