Secure Server For Dedicated Web Hosting

Article ID: 220

Key and CSR Generation

The utility "openssl" that you use to generate the key and CSR comes with OpenSSL and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to modify these instructions appropriately.

The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do NOT overwrite existing keys and CSR's:

Step 1. Go to your SSL directory
cd /usr/local/ssl/private

Step 2. Generate a private key
openssl genrsa -des3 512/1024 >
Now PLEASE backup your and make a note of the passphrase.
Losing your key will cost you money!

Step 3. Go to your certs directory
cd /usr/local/ssl/certs

Step 4. Generate a CSR from your key
openssl req -new -key ../private/ >

Step 5. Generate a self-signed certificate
openssl req -x509 -key ../private/ -in >
NOTE: When asked for your Common Name, enter the exact domain name of your web server you want to secure (i.e. "" or ""). The prompt on some standard OpenSSL distributions asks for "YOUR name", this is your Common Name.


If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.

Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password!

Submitting your CSR

The file is your secret key, and must be installed as per the instructions that come with ApacheSSL. The file is your CSR, and the important bit looks something like this:


Installing the certificate

The file is your self-signed certificate. You use it as a temporary certificate while you are waiting for a real certificate from Thawte. You install it by updating your ApacheSSL config for that virtualhost as follows:

SSLCertificateFile /usr/local/ssl/certs/
SSLCertificateKeyFile /usr/local/ssl/private/ When you receive your certificate, you will install it in place of your self-signed cert at /usr/local/ssl/certs/

For your Thawte cert (or renewed cert) to take an effect, you can also try to restart the entire server and not just the daemon.

Note for Cobalt users: It is essential to restart the entire server after installing your certificate.

Setting up SSL

You configure your server using the httpd.conf file. Under your virtual host, enable SSL, on port 443, and make sure each virtual host has it's own IP (SSL does not support name based virtual hosts). You will have to change the links to your secure site to https.