Jan 122012

… using genkey utility if your system has it or the do-it-yourself generic way.


genkey is a dialog(1) (interactive) script that generates SSL certificates:

Notice the default of 30 days. It won’t overwrite any existing keys, it will produce an error and exit, so you need to delete/move them by hand.

  1. Next
  2. select key strength (1024) -> Next
  3. wait
  4. faceroll the keyboard while performing the sacrifice of a random bit for better entropy
  5. No (unless Yes, but No)
  6. type in your company’s data, make sure ‘common name’ is the fully qualified domain name for the server you intend to use this on
  7. do NOT encrypt the passphrase. if you do encrypt it you’ll have to type in the password every time you start apache. People don’t usually want that.
  8. keep a moment of silence for the random bit you had to lose in the name of privacy and security. unless it’s a pink bit. damn racist

Certificate is generated, get it into apache.

The generic way

  1. Generate private key

    1024 bit, triple-des encrypted. You have to enter a passphrase, but it gets removed. Do remember it.
  2. Remove the pass phrase
  3. Generate a certificate signing request
    This request gets sent to a signing authority, like VeriSign, or you can sign it yourself. VeriSign-like people are supposed to check that you are indeed who you say you are and sign the certificate so that other people can verify they are not talking to someone else. This would provide communication encryption and identity verification. With a self-signed certificate all you really get is communication encryption, but that’s good enough for most.
  4. Sign the certificate
    Obviously, you don’t need to do this if VeriSign-like is going too. But you still can, and use this certificate while VeriSign-like is signing the real one. The -days parameter says how long you want the certificate to be valid.

All good, now get it into apache. Oh, make damn sure no one but root can read the private key files.

Resigning a certificate

Just in case it’s not clear, when a certificate expires you don’t need to regenerate the key, although it might be a good idea for a self-signed cert, just make a new signing request and sign that one again. In the case of a CentOS 5 server:

Apache mod_ssl config

These lines need to be present in the host’s http conf and point to the right files, obviously. In case of resigning, specially if there are multiple vhosts on the server, check where the original key and certificate files are.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">