Article ID: 220Key and CSR Generation
The utility "openssl" that you use to generate the key and CSR comes with OpenSSL and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to modify these instructions appropriately.
The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do NOT overwrite existing keys and CSR's:
Step 1. Go to your SSL directory
Step 2. Generate a private key
openssl genrsa -des3 512/1024 > www.xxx.com.key
Now PLEASE backup your www.xxx.com.key and make a note of the passphrase.
Losing your key will cost you money!
Step 3. Go to your certs directory
Step 4. Generate a CSR from your key
openssl req -new -key ../private/www.xxx.com.key > www.xxx.com.csr
Step 5. Generate a self-signed certificate
openssl req -x509 -key ../private/www.xxx.com.key -in www.xxx.com.csr > www.xxx.com.crt
NOTE: When asked for your Common Name, enter the exact domain name of your web server you want to secure (i.e. "www.foo.com" or "secure.foo.com"). The prompt on some standard OpenSSL distributions asks for "YOUR name", this is your Common Name.
If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.
Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password!
Submitting your CSR
The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with ApacheSSL. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Installing the certificate
The file www.virtualhost.com.crt is your self-signed certificate. You use it as a temporary certificate while you are waiting for a real certificate from Thawte. You install it by updating your ApacheSSL config for that virtualhost as follows:
SSLCertificateKeyFile /usr/local/ssl/private/www.virtualhost.com.key When you receive your certificate, you will install it in place of your self-signed cert at /usr/local/ssl/certs/www.virtualhost.com.crt
For your Thawte cert (or renewed cert) to take an effect, you can also try to restart the entire server and not just the daemon.
Note for Cobalt users: It is essential to restart the entire server after installing your certificate.
Setting up SSL
You configure your server using the httpd.conf file. Under your virtual host, enable SSL, on port 443, and make sure each virtual host has it's own IP (SSL does not support name based virtual hosts). You will have to change the links to your secure site to https.