Home » Apache, Cryptography, How-to, Linux, Php

Creating and Installing a Certificate on Apache 2

12 November 2008 No Comment

Generating and installing a certificate Is not such a big deal as other may consider but it requires some understanding of how apache and certificates are working.

This post will be structured in 3 parts:

  • Generating a private key for the apache server
  • Generating a Certificate Signing Request (CSR)
  • Configuring Apache 2 SSL

Generating a private key for the server

To generate a private key for our server we need OpenSSL utilities. To install it just run:

apt-get install openssl

To generate a private key run in console:

openssl genrsa –des3 –out www.mydomain.com.key 1024

If you are not satisfied with the linux pseudo random generator (and your computer doesn’t have a hardware one) just use some random files from your disk (or any other files)

openssl genrsa –des3 -rand rfile1:rfile2:rfile3 –out www.mydomain.com.key 1024

Where rfile1, rfile2 and rfile3 are the files. This files need to be larger than 150K.

Generating the private key it will ask you for a passphrase (password). Don’t write it just try to store in your brain 🙂

Generating a Certificate Signing Request

In a terminal window, begin the CSR creation by entering the following command:

openssl req -new -key www.mydomain.com.key -out /etc/apache2/ssl/www.mydomain.com.csr

The rest of the CSR creation process is interactive.

Enter PEM pass phrase:
Enter the passphrase assigned to servername.key as performed in the above step.

Country Name (2 letter code) [AU]: US
Enter the corresponding ISO3166 country code for the country.

State or Province Name (full name) [Some-State]: New York
Enter the corresponding state or province, without abbreviations.

Locality Name (eg, city) [ ]: New York
Supply the city or locality name.

Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company SRL
Supply the name of your company or organization. This information should reflect the officially registered name of your company or organization.

Organizational Unit Name (eg, section) [ ]: My Company  Unit
If relevant, supply the name of the division or department

Common Name (eg, your web server’s hostname) [ ]: www.mydomain.com
Supply the Common Name (CN) of your web server in the field provided.

Email Address [ ] :
Some CA does not accept the use of email attributes in CSRs. Please do not supply an email address in this field. Simply press ENTER to bypass this prompt.

Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
DO NOT USE. Just Press Enter
An optional company name []:
DO NOT USE. Just Press Enter

Right now you will need just to send the www.mydomain.com.csr to be signed by CA. You will get back the certificate: www.mydomain.com.crt

Configuring Apache2

To configure apache 2 you will need the SSL module enabled:

a2enmod ssl

If you don’t remove the keyphrase from the private key (www.mydomain.com.key) every time when you will restart the apache you will be prompted for the keyphrase. To remove it just run:

openssl rsa -in www.mydomain.com.key -out www.mydomain.com.pem

Now just add

Listen 443

to /etc/apache2/ports.conf

After that create a configuration file for www.mydomain.com in /etc/apache2/sites-available/www.mydomain.com with the following content:

NameVirtualHost [Your Webserver IP Address]
<VirualHost [Your Webserver IP Address]:443>
ServerAdmin webmaster@mydomain.com
ServerName www.mydomain.com
ErrorLog /var/log/apache2/www.mydomain.com-error.log
CustomLog /var/log/apache2/www.mydomain.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.pem
</VirualHost >

Now just restart the apache server:

/etc/init.d/apache2 restart

and access your site https://www.mydomain.com

Success !


Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.