Create ssl certificate
From Webpipe Wiki
To encrypt traffic to your website, you need to have an SSL certificate installed on your server. When visiting a site with a properly installed SSL certificate, the communication between a visitors web browser and your web server is encrypted and very difficult for anybody who may be able to see your traffic to interpret. The certificate also verifies that your server is indeed who it says it is.
In the examples below, substitute MYDOMAIN.COM with your actual domain name. Input that you should type in is displayed <LIKE THIS>. Full paths have been used in the examples for clarity. These paths are based on a standard CentOS installation. If you server has a different Linux distributation, the paths for some files may be different.
Generating an SSL Certificate is done in four parts
Contents |
1- Create the certificate: (.key file)
Your key file is confidential and should never be displayed or saved in a place where others may be able to view it. If somebody is able to read your key, then they may be able to intrepret the encrypted traffic or impersonate your site.
# cd /etc/httpd/conf/ssl.key/ # openssl genrsa -des3 -out MYDOMAIN.COM.key 1024 ....++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for MYDOMAIN.COM.key: <ENTER A PASSWORD HERE> Verifying - Enter pass phrase for MYDOMAIN.COM.key: <ENTER PASSWORD AGAIN HERE>
1a- Remove the password from the key
If you don't remove the password from your private key, then you will be prompted for a password each time that your web server starts up. Since you may not always be logged in and watching when your server boots, it's usually a good idea to remove the password from it.
# mv MYDOMAIN.COM.key MYDOMAIN.COM.key.with_password # openssl rsa -in MYDOMAIN.COM.key.withpassword -out MYDOMAIN.COM.key Enter pass phrase for MYDOMAIN.COM.key.withpassword: <ENTER THE PASSWORD> writing RSA key
2- Create the CSR
Generating a Certificate Signing Request (or CSR) takes necessary information from your key, and adds information about your web site and your company that will be used to create your certificate.
The "common name" prompt will be the name of the site that your SSL Certificate will be used on. You should pick this carefuly, because the certificate can only be used on this name. For example, if you type "www.webpipe.net", it will not work properly on "webpipe.net".
# cd /etc/httpd/conf/ssl.csr/ # openssl req -new -key /etc/httpd/conf/ssl.key/YOURDOMAIN.COM.key -out YOURDOMAIN.COM.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Utah Locality Name (eg, city) [Newbury]:Ogden Organization Name (eg, company) [My Company Ltd]:Webpipe.net Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.webpipe.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3- Send the CSR to get signed
Most of the time, you will send your CSR to a third party for them to "sign" your certificate. The process for this varies, depending on who you choose to sign your certificate, but somehow you submit your CSR file to them, and they send you back a CRT file. If you don't care about having your certificate signed by a third party, then you can sign it yourself (Visitors will get a warning message about this)
The CSR file file will look something like this:
# cat MYDOMAIN.COM.csr -----BEGIN CERTIFICATE REQUEST----- MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCVVMxDTALBgNVBAgTBFV0YWgxDjAMBgNV BAcTBU9nZGVuMRQwEgYDVQQKEwtXZWJwaXBlLm5ldDEYMBYGA1UEAxMPd3d3Lndl YnBpcGUubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDrwyYu6jCmaS8m Bh1/lZO1FidXuGLL1CdjqPqrrq+dnP/jTht9ofycyKcMvuRlFO50wiOOwDO3KX22 exZEsgn5/yI1Kia3YlVxMHR9ocInKL92g23Vl0eoy19w20yxaLukt2lA8W4+cyfA k/adwjUjBl8q45+njecsLIC8MpE4vwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA cvyHfO60fsIZjMhpU+0LY0blJXoKXvm6rIZVVrbo6KSqteD3JvwWiP7e06M1ZXYp yWOIqGmttCJe2wSBCTR8jmOdSsVlm9b8wYA8Q8g1UO0ZxaNY0U8KTareYv6s7fj7 63YY9wzomKl37lrWJDDOZ/X8IpBh3k+irqg8vuy4tDQ= -----END CERTIFICATE REQUEST-----
You will need the contents of that file to submit to get it signed.
If you want to sign the certificate yourself you can use this command:
openssl x509 -req -days 365 -in /etc/httpd/conf/ssl.csr/MYDOMAIN.COM.csr \ -signkey /etc/httpd/conf/ssl.key/MYDOMAIN.COM.key \ -out /etc/httpd/conf/ssl.crt/MYDOMAIN.COM.crt
4- Install the certificate
When you receive the certificate back, you will save the CRT file to your server, and tell the web browser where it is at.
When you get the certificate back, save it to
/etc/httpd/conf/ssl.csr/MYDOMAIN.COM.crt
You may also have to install an "intermediate certificate", depending on who you purchased the certificate from. You chould save that file to the same directory.
Now modify the web server's configuration file to read and use your new certificate.
On servers that Webpipe has set up, you should edit /etc/httpd/conf.d/ssl.conf
Find the SSLCertificateKeyFile line and replace it with this:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/MYDOMAIN.COM.key
Then find the SSLCertificateFile line and replace with this:
SSLCertificateFile /etc/httpd/conf/ssl.crt/MYDOMAIN.COM.crt
If you have to install an "intermediate" certificate, then find the "SSLCertificateChainFile and replace it with this:
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/<YOUR_INTERMEDIATE_FILE>.crt
