SSL Overview

Prerequisites

rsaref

openssl

mod_ssl

Apache HTTP

Certificates

Certificates

Here is a step-by-step description:

1. Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.

2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):

   $ openssl genrsa -des3 -out server.key 1024

   # openssl genrsa -des3 -out server.key 1024
   1112 semi-random bytes loaded
   Generating RSA private key, 1024 bit long modulus
   ..........+++++
   .......+++++
   e is 65537 (0x10001)
   Enter PEM pass phrase:
   Verifying password - Enter PEM pass phrase:
   
   

   Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:

   $ openssl rsa -noout -text -in server.key

   And you could create a decrypted PEM version (not recommended) of this RSA private key via:

   $ openssl rsa -in server.key -out server.key.unsecure

3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

   $ openssl req -new -days 365 -key server.key -out server.csr

   # openssl req -new -days 365 -key server.key -out server.csr
   Using configuration from /opt/local/ssl/openssl.cnf
   Enter PEM pass phrase:
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:Narnia
   Locality Name (eg, city) []:Left Side of the Closet
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Crosscheck Hockey Supply
   Organizational Unit Name (eg, section) []:Sticks/Pucks
   Common Name (eg, YOUR name) []:crosscheck.feldt.com
   Email Address []:matthew@crosscheck.feldt.com
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   
   

   Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command

   $ openssl req -noout -text -in server.csr

4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have to options: First you can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look at the following locations:
   • Verisign
     http://digitalid.verisign.com/server/apacheNotice.htm
   • Thawte Consulting
     http://www.thawte.com/certs/server/request.html
   • CertiSign Certificadora Digital Ltda.
     http://www.certisign.com.br
   • IKS GmbH
     http://www.iks-jena.de/produkte/ca/
   • Uptime Commerce Ltd.
     http://www.uptimecommerce.com
   • BelSign NV/SA
     http://www.belsign.be

   Second you can use your own CA and now have to sign the CSR yourself by this CA. Read the next answer in this FAQ on how to sign a CSR with your CA yourself. You can see the details of the received Certificate via the command:

   $ openssl x509 -noout -text -in server.crt

5. Now you have two files: server.key and server.crt. These now can be used as following inside your Apache's httpd.conf file:

          SSLCertificateFile    /path/to/this/server.crt
          SSLCertificateKeyFile /path/to/this/server.key
          

   The server.csr file is no longer needed.

How can I create and use my own Certificate Authority (CA)?

The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this:

1. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):

   $ openssl genrsa -des3 -out ca.key 1024

   # openssl genrsa -des3 -out ca.key 1024 
   1112 semi-random bytes loaded
   Generating RSA private key, 1024 bit long modulus
   ...................+++++
   ..................................+++++
   e is 65537 (0x10001)
   Enter PEM pass phrase:
   Verifying password - Enter PEM pass phrase:
   
   

   Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command

   $ openssl rsa -noout -text -in ca.key

   And you can create a decrypted PEM version (not recommended) of this private key via:

   $ openssl rsa -in ca.key -out ca.key.unsecure

2. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):

   $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

   # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
   Using configuration from /opt/local/ssl/openssl.cnf
   Enter PEM pass phrase:
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:Missouri
   Locality Name (eg, city) []:Ballwin
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Matthew's CA
   Organizational Unit Name (eg, section) []:Office of the Chairman
   Common Name (eg, YOUR name) []:Matthew Feldt
   Email Address []:matthew@aryabhat.cs.umsl.edu
   
   

   You can see the details of this Certificate via the command:

   $ openssl x509 -noout -text -in ca.crt

3. Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

4. Now you can use this CA to sign CSR's in order to create real SSL Certificates for use inside an Apache webserver:

   $ ./sign.sh server.csr

   # /opt/src/mod_ssl-2.3.5-1.3.6/pkg.contrib/sign.sh server.csr
   CA signing: server.csr -> server.crt:
   Using configuration from ca.config
   Enter PEM pass phrase:
   Check that the request matches the signature
   Signature ok
   The Subjects Distinguished Name is as follows
   countryName           :PRINTABLE:'US'
   stateOrProvinceName   :PRINTABLE:'Narnia'
   localityName          :PRINTABLE:'Left Side of the Closet'
   organizationName      :PRINTABLE:'Crosscheck Hockey Supply'
   organizationalUnitName:PRINTABLE:'Sticks/Pucks'
   commonName            :PRINTABLE:'crosscheck.feldt.com'
   emailAddress          :IA5STRING:'matthew@crosscheck.feldt.com'
   Certificate is to be certified until Jul 14 00:39:09 2000 GMT (365 days)
   Sign the certificate? [y/n]:y
   
   
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   CA verifying: server.crt <-> CA cert
   server.crt: OK
   
   

   This signs the CSR and results in a server.crt file.