SSL - Certificate

Links

• Apache Modules mod ssl

• Generating an SSL Certificate with Apache+mod_ssl

• Why does my browser give a warning about a mismatched hostname?

Usage

Note: Browsers expect the server’s hostname to match the value in the commonName (CN) field of the certificate. If it does not then you get a warning.

Step 1

Create your RSA Private Key:

openssl genrsa -des3 -out server.key 1024

This command will prompt you for a pass-phrase and then store the key in the file server.key.

Step 2

Remove the pass-phrase from the key (to stop Apache asking for the pass-phrase each time the web server is started):

openssl rsa -in server.key -out server.pem

Step 3

Generate a Certificate Signing Request (which could be sent to Thawte or Verisign). You will be prompted for the Common Name. It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://www.server.com, then enter www.server.com at this prompt:

openssl req -new -key server.pem -out server.csr

Note: On Windows you might get the following error:

Unable to load config info from /usr/local/ssl/openssl.cnf

Unable to load config info from /usr/local/ssl/openssl.cnf

To solve the problem, add a config parameter with the path to your Apache openssl.cnf file e.g:

openssl req -new -key server.pem -out server.csr -config C:\tools\apache2.2\conf\openssl.cnf

Step 4

To generate a temporary certificate which is good for 365 days:

openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt

Step 5

Linux

Copy the key and certificate to the Apache SSL folder:

copy server.crt C:\tools\apache2.2\conf\
copy server.pem C:\tools\apache2.2\conf\

Windows

Copy the key and certificate to the Apache SSL folder:

cp server.crt /etc/apache2/ssl/
cp server.pem /etc/apache2/ssl/

Step 6

Linux

Change the Apache SSL configuration. Edit:

/etc/apache2/modules.d/41_mod_ssl.default-vhost.conf

and edit the SSLCertificateKeyFile to point to the pem file:

SSLCertificateKeyFile conf/ssl/server.pem

Windows

Edit the conf/extra/httpd-ssl.conf file to look at the pem file (rather than the key file):

SSLCertificateKeyFile "C:/tools/apache2.2/conf/server.pem"