Setup SSL Tutorial teaches you how to generate and setup a SSL certificate.
Assuming you have apache and openssl installed, you would like to generate and setup an SSL certificate for a domain and generate a CSR.

Generating RSA & CSR (Signing Request)

[root@yupapa root]#
[root@yupapa root]# cd /etc/httpd/conf/ssl.key

OPTION 1: Generating a RSA private key without a passphrase (ME recommended)
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -out MYdomain.com.key 1024

OPTION 2: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out MYdomain.com.key 1024

You should NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically. If you have, then apache just sit there and wait for the script to input the passphrase which is a mess!
There is a method that you can disable the passphrase to prompt when you restart apache which I'll show you later~

Next generate the CSR using the RSA Private Key

[root@yupapa /etc/httpd/conf/ssl.csr]# openssl req -new -key MYdomain.com.key -out MYdomain.com.csr
[root@yupapa /etc/httpd/conf/ssl.csr]# mv MYdomain.com.csr ../ssl.csr

You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters '< > ~ ! @ # $ % ^ * / ( ) ?.,&' because they will not be accepted.

Common Name: the domain for the web server (e.g. MYdomain.com)
Organization: the name of your organization (e.g. YUPAPA)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. Flanders)
State or Province: the state / province where your organzation is located (e.g New Jersey)
Country: the country where your organzation is located (e.g US)

You may be asked for emeow address and challenge challenge password. I just hit enter when I generate the csr~

Now you should have:
/etc/httpd/conf/ssl.key/MYdomain.com.key
/etc/httpd/conf/ssl.csr/MYdomain.com.csr

Make a backup copy of your private key! If you lose it, you have to purchase a new cert!

Now you should submit your csr and they will mail you the certificate.


Installing the Certificate for Apache

[root@yupapa root]# cd /etc/httpd/conf/ssl.crt

Copy the certificate that they mailed you to MYdomain.com.crt
Open your httpd.conf file and place the following to your virtualhost

<VirtualHost 123.456.789.123:443>
... some config like DocumentRoot , etc..
SSLEngine  on
SSLCertificateFile /etc/httpd/conf/ssl.crt/MYdomain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/MYdomain.com.key
</VirtualHost>

Restart apache
OPTION 1 [root@yupapa /etc/httpd/conf/ssl.crt]# apachectl restart
OPTION 2 (using the sh script) [root@yupapa /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.
[root@yupapa /etc/httpd/conf/ssl.crt]# cd ../ssl.key
[root@yupapa /etc/httpd/conf/ssl.key]# mv MYdomain.com.key MYdomain.com.key.has-passphrase
[root@yupapa /etc/httpd/conf/ssl.key]# openssl rsa -in MYdomain.com.key.has-passphrase -out MYdomain.com.key

And then restart apache again
[root@yupapa /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

Now you should be able to access https://MYdomain.com ~ And Finally make sure those directories and files are only writable and readable by root!

Written by YUPAPA - http://www.yupapa.com

New! - Need server help? Hire an Expert

By : ramprage

Rating :

Views: 79090

Date: September 8, 2004