How to generate SSL Key, CSR and Self-signed Certificate (SSR) in Linux Apache

Netshop-Isp

Netshop-Isp

Member
SSL Certificate is used to convert your website from http:// to https://. The protocol was created by Netscape to ensure secure transactions between web servers and browsers. It uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.

In this article, we explain how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

For the sake of example we will be using www.my-server.org as our domain.

1. Generate Private Key on the Server Running Apache + mod_ssl

The first step is to generate a private key on our Linux server that runs Apache webserver using openssl command:

Code: 
# openssl genrsa -des3 -out www.my-server.org.key 1024
Generating RSA private key, 1024 bit long modulus
…………………………………++++++
……………………………………………++++++
e is 73547 (0×01001)
Enter pass phrase for my-server.org.key:
Verifying – Enter pass phrase for www.my-server.org.key:

# ls -ltr www.my-server.*
-rw-r–r– 1 root root   963 Oct 01 22:02 www.my-server.org.key

The generated private key looks like the following.
# cat www.my-server.org.key
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E

ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2
jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no
AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY
KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr
—–END RSA PRIVATE KEY—–

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a Certificate Request file (CSR) using openssl:

Code: 
# openssl req -new -key www.my-server.org.key -out www.my-server.org.csr
Enter pass phrase for www.my-server.org.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CY
State or Province Name (full name) [Berkshire]:Cyprus
Locality Name (eg, city) [Newbury]:Larnaca
Organization Name (eg, company) [My Company Ltd]: S.S. NetShop Internet Services Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []: myserver
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -ltr www.thegeekstuff.*
-rw-r–r– 1 root root   963 Oct 01 22:02 www.my-sever.org.key
-rw-r–r– 1 root root   664 Oct 01 22:11 www.my-server.org.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command:

Code: 
# openssl x509 -req -days 365 -in www.my-server.org.csr -signkey www.my-server.org.key -out www.my-server.org.crt
Signature ok
subject=/C=CY/ST=Cyprus/L=Larnaca/O=ssnetshopinternetservicesltd/OU=IT/CN=www.my-server.org
Getting Private key
Enter pass phrase for www.my-server.org.com.key:# ls -l www.my-server*
-rw-r–r– 1 root root   963 Oct 01 22:02 www.my-server.org.key
-rw-r–r– 1 root root   664 Oct 01 22:11 www.my-server.org.csr
-rw-r–r– 1 root root   879 Oct 01 22:20 www.my-server.org.crt

# cat www.thegeekstuff.com.crt

—–BEGIN CERTIFICATE—–
haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB
kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ
kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29
—–END CERTIFICATE—–

The above procedure can be used to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.
 
You must log in or register to reply here.

Supporters

Back
Top