Académique Documents
Professionnel Documents
Culture Documents
search
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then
used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or
Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is
to self-sign the CSR, which will be demonstrated in the next section.
During the generation of the CSR, you will be prompted for several pieces of information. These are the
X.509 attributes of the certificate. One of the prompts will be for “Common Name (e.g., YOUR name)”. It
is important that this field be filled in with the fully qualified domain name of the server to be protected by
SSL. If the website to be protected will be https://www.yatblog.com, then enter www.yatblog.com at this
prompt. If you want to create a so called “wildcard” certificate, which means the same certificate can be
used on an unlimited number of subdomains, just enter an asterisk as the hostname, in our example that
would be *.yatblog.com. The command to generate the CSR is as follows:
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase
each time the web server is started. Obviously this is not necessarily convenient as someone will not
always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability
to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the
most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no
longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file
only be readable by the root user! If your system is ever compromised and a third party obtains your
unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use
the following command to remove the pass-phrase from the key: • Printer
supplies
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
At this point you will need to generate a self-signed certificate because you either don’t plan on having
your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing
your certificate. This temporary certificate will generate an error in the client browser to the effect that the
signing certificate authority is unknown and not trusted.
To generate a temporary certificate which is good for 365 days, issue the following command:
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 2 of 6
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The
location of this directory will differ depending on how Apache was compiled.
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
<VirtualHost www.yourdomain.com:443>
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
</VirtualHost>
If you want to redirect connections to the standard, unencrypted port 80, simply use the following lines:
<VirtualHost mail.design-monster.com:80>
RedirectPermanent / https://www.yourdomain.com
</VirtualHost>
25 comments
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 3 of 6
Unfortunately not. You will have to create one for every domain.
We want more……
It would be possible to use your own self signed certificate on your shared hosting but the main problem
is that, if it is a shared server, you most likely don’t have a unique IP address and the SSL protocol
requires a unique IP address/port for every certificate. You would also need to configure Apache to use
the certificate so it completely depends on your hosting provider.
vary straight through how to create certificate, and implemented with vhost.
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 4 of 6
The program asks for few inputs. Please enter as required. It is shown below
(NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well
documented bug. Here is the file you need to download to overcome this defect to create a self signed
certificate. After you download, follow the notes below to copy the downloaded files to the location
where they are supposed to be present.
Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.)
Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the
configuration is very simple. Here is an example on how to do it:
NameVirtualHost *:443
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain http://www.domain3.com
DocumentRoot /var/www/ssl_securearea
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
above i have shown the whole virtual host configuration to be complete. But i hope you get an idea
where to put it.
On Ubuntu need this step to recover the missing command apache2-ssl-certificate is missing.
Here is the file you need to download to overcome this defect to create a self signed certificate. After
you download, follow the notes below to copy the downloaded files to the location where they are
supposed to be present.
1. Extract the package
2. put ssleay.cnf to /usr/share/apache2/
3. put apache2-ssl-certificate to /usr/sbin.
4. Create /etc/apache2/ssl directory.
Now apache2-ssl-certificate script should work.
http://librarian.launchpad.net/7477840/apache2-ssl.tar.gz
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 5 of 6
The Magnet Blog » Blog Archive » creating a ssl certificate November 6th, 2008
[...] http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ [...]
http://guycentral.info/index.php/apache-linux.
james Eilers » Project Management with Trac + SVN October 8th, 2009
[...] everything to use SSL. A very nice tutorial on creating your self-signed certificate can be found
here. Also ensure that you have mod_ssl installed for Apache. Everything else is configured within [...]
How to create your own SSL Certificate | Yet another Tech Blog | Scott’s Reference
Files October 19th, 2009
[...] How to create your own SSL Certificate | Yet another Tech BlogTopic: Computer| No Comments »
How to create your own SSL Certificate | Yet another Tech Blog. [...]
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010
How to create your own SSL Certificate | Yet another Tech Blog Page 6 of 6
Same Content !!
Thanks
Please reply!
Shout it out!
Name (required)
Website
Submit Comment
Copyright Yet another Tech Blog took 0.570 seconds to load created by Design Monster
http://www.yatblog.com/2007/02/27/how-to-create-a-ssl-certificate/ 11/24/2010