Creating and Installing a Certificate on Apache 2
Generating and installing a certificate Is not such a big deal as other may consider but it requires some understanding of how apache and certificates are working.
This post will be structured in 3 parts:
- Generating a private key for the apache server
- Generating a Certificate Signing Request (CSR)
- Configuring Apache 2 SSL
Generating a private key for the server
To generate a private key for our server we need OpenSSL utilities. To install it just run:
apt-get install openssl
To generate a private key run in console:
openssl genrsa –des3 –out www.mydomain.com.key 1024
If you are not satisfied with the linux pseudo random generator (and your computer doesn’t have a hardware one) just use some random files from your disk (or any other files)
openssl genrsa –des3 -rand rfile1:rfile2:rfile3 –out www.mydomain.com.key 1024
Where rfile1, rfile2 and rfile3 are the files. This files need to be larger than 150K.
Generating the private key it will ask you for a passphrase (password). Don’t write it just try to store in your brain 🙂
Generating a Certificate Signing Request
In a terminal window, begin the CSR creation by entering the following command:
openssl req -new -key www.mydomain.com.key -out /etc/apache2/ssl/www.mydomain.com.csr
The rest of the CSR creation process is interactive.
Enter PEM pass phrase:
Enter the passphrase assigned to servername.key as performed in the above step.
Country Name (2 letter code) [AU]: US
Enter the corresponding ISO3166 country code for the country.
State or Province Name (full name) [Some-State]: New York
Enter the corresponding state or province, without abbreviations.
Locality Name (eg, city) [ ]: New York
Supply the city or locality name.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company SRL
Supply the name of your company or organization. This information should reflect the officially registered name of your company or organization.
Organizational Unit Name (eg, section) [ ]: My Company Unit
If relevant, supply the name of the division or department
Common Name (eg, your web server’s hostname) [ ]: www.mydomain.com
Supply the Common Name (CN) of your web server in the field provided.
Email Address [ ] :
Some CA does not accept the use of email attributes in CSRs. Please do not supply an email address in this field. Simply press ENTER to bypass this prompt.
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password :
DO NOT USE. Just Press Enter
An optional company name :
DO NOT USE. Just Press Enter
Right now you will need just to send the www.mydomain.com.csr to be signed by CA. You will get back the certificate: www.mydomain.com.crt
To configure apache 2 you will need the SSL module enabled:
If you don’t remove the keyphrase from the private key (www.mydomain.com.key) every time when you will restart the apache you will be prompted for the keyphrase. To remove it just run:
openssl rsa -in www.mydomain.com.key -out www.mydomain.com.pem
Now just add
After that create a configuration file for www.mydomain.com in /etc/apache2/sites-available/www.mydomain.com with the following content:
NameVirtualHost [Your Webserver IP Address] <VirualHost [Your Webserver IP Address]:443> ServerAdmin firstname.lastname@example.org ServerName www.mydomain.com ErrorLog /var/log/apache2/www.mydomain.com-error.log CustomLog /var/log/apache2/www.mydomain.com-access.log combined SSLEngine On SSLCertificateFile /etc/apache2/ssl/www.mydomain.com.crt SSLCertificateKeyFile /etc/apache2/ssl/www.mydomain.com.pem </VirualHost >
Now just restart the apache server:
and access your site https://www.mydomain.com