Loading

Secure Server For Dedicated Web Hosting

Key and CSR Generation

The utility "openssl" that you use to generate the key and CSR comes with OpenSSL and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to modify these instructions appropriately.

The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do NOT overwrite existing keys and CSR's:

Step 1. Go to your SSL directory
cd /usr/local/ssl/private

Step 2. Generate a private key
openssl genrsa -des3 512/1024 > www.xxx.com.key
Now PLEASE backup your www.xxx.com.key and make a note of the passphrase.
Losing your key will cost you money!

Step 3. Go to your certs directory
cd /usr/local/ssl/certs

Step 4. Generate a CSR from your key
openssl req -new -key ../private/www.xxx.com.key > www.xxx.com.csr

Step 5. Generate a self-signed certificate
openssl req -x509 -key ../private/www.xxx.com.key -in www.xxx.com.csr > www.xxx.com.crt
NOTE: When asked for your Common Name, enter the exact domain name of your web server you want to secure (i.e. "www.foo.com" or "secure.foo.com"). The prompt on some standard OpenSSL distributions asks for "YOUR name", this is your Common Name.

Passphrases

If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.

Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password!

Submitting your CSR

The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with ApacheSSL. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----

Installing the certificate

The file www.virtualhost.com.crt is your self-signed certificate. You use it as a temporary certificate while you are waiting for a real certificate from Thawte. You install it by updating your ApacheSSL config for that virtualhost as follows:

SSLCertificateFile /usr/local/ssl/certs/www.virtualhost.com.crt
SSLCertificateKeyFile /usr/local/ssl/private/www.virtualhost.com.key When you receive your certificate, you will install it in place of your self-signed cert at /usr/local/ssl/certs/www.virtualhost.com.crt

For your Thawte cert (or renewed cert) to take an effect, you can also try to restart the entire server and not just the daemon.

Note for Cobalt users: It is essential to restart the entire server after installing your certificate.

Setting up SSL

You configure your server using the httpd.conf file. Under your virtual host, enable SSL, on port 443, and make sure each virtual host has it's own IP (SSL does not support name based virtual hosts). You will have to change the links to your secure site to https.

Article ID: 220

Was this article helpful?

Yes   No  

Return to Customer Support Homepage Return to Customer Support Homepage
Printer Friendly Page Printer Friendly Page