Caution
This page has been updated a long time ago. Information found here could be outdated and may lead to missconfiguration.
Some of the links and references may be broken or lead to non existing pages.
Please use this docs carefully. Most of the information here now is only for reference or example!
Create Self Singet Certificate¶
Easyest Way¶
You can create Self Signed Certificate for you web server with just one command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mysitename.key -out mysitename.crt
References:
- https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
- https://httpd.apache.org/docs/2.4/ssl/ssl_faq.html
With CSR (Certificate Signing Request) - DES3¶
Honestly there is no real difference between this and the previous method, if you use a self signed certificate. But if you create CSR you can send it to Certifying Authority (CA) to be signed. And this method is useful when you want to use the same key with different certs.
- Generate Private Key
openssl genrsa -des3 -out example.key 2048
I recommend that create at lease 2048 bit key.
-
Generate a CSR
openssl req -new -key example.key -out example.csrOutput:At this point you can send your CSR file to a CA, if you need a "real", trusted cert.openssl req -new -key example.key -out example.csr Enter pass phrase for example.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:HU State or Province Name (full name) [Some-State]:SomeState Locality Name (eg, city) []:City Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeState's Company Organizational Unit Name (eg, section) []:Technology Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:no-spam@realmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:12345678 An optional company name []: -
Remove Passphrase from Key
If you skip these steps apache will ask for the passphrase at each startup.cp example.key example.key.org
openssl rsa -in example.key.org -out example.key -
Generating Self-Signed Certificate
openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt
Now you have some new files:
ls -lrt
total 12
-rw-r--r-- 1 janos.vincze bio 761 Aug 15 12:53 example.csr
-rw-r--r-- 1 janos.vincze bio 963 Aug 15 12:59 example.key.org
-rw-r--r-- 1 janos.vincze bio 887 Aug 15 12:59 example.key
-rw-r--r-- 1 janos.vincze bio 1001 Aug 15 13:03 example.crt
.key and .crt file to configure apache.
With root key CA¶
I don't know if there is anybody who wants to use a root CA key on its own webpage(s). I can imagine one scenario when it can be useful. Inside an organization you can create a root CA key and sign all your certificate with it, then import the CA to all clients. For example, you have many web servers inside your intranet and sign all its certificate with your own CA. Clients inside your network can use these webpages as "trusted" provider if the root CA pub key is imported to the browser or to the system. I will show you how to install root CA cert into Firefox and Internet Explorer, but first we need to follow these steps to create the necessary files.
- Generate ROOT CA
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -config rootCA.conf
As you can see we are using a configuration file:rootCA.confSo you first need to create something like this:[req] distinguished_name = req_distinguished_name [req_distinguished_name] countryName = HU countryName_default = HU stateOrProvinceName = Budapest stateOrProvinceName_default = Budapest localityName = Budapest localityName_default = Budapest organizationalUnitName = Technology organizationalUnitName_default = Technology commonName = VinczeJanosRootCA commonName_default = VinczeJanosRootCA organizationName = Some Ltd organizationName_default = Some Ltd. E=jvincze84@gmail.com commonName_max = 64 - Generate web server key(s)
openssl genrsa -out server1.key 2048
You should generate one key per sites. - Generate CSR for the key
This step is very similar to the previously mentioned. - Generate the CSR:
openssl req -sha256 -new -out server1.csr -key server1.key -config config.cnf - Backup the original server key:
cp server1.key server1.key.org -
Remove the Passphrase
openssl rsa -in server1.key.org -out server1.key
You will use this key on the server.
NOTE: You can see another config file:config.cnfThis is necessary for the server key/crt. And please note that you can usealt.namesin the configuration files. This is very useful if you have multiple domain names for one server or virtualhost. For example, you have two domain name: www.server.com and login.server.com. And these names are associated to one apache virtualhost: www.server.com -> ServerName and login.server.com -> ServerAlias.
Example Config File:[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = HU countryName_default = HU stateOrProvinceName = Budapest stateOrProvinceName_default = Budapest localityName = Budapest localityName_default = Budapest organizationalUnitName = Technology organizationalUnitName_default = Technology commonName = server1.company.com commonName_default = server1.company.com organizationName = Company Ltd. organizationName_default = Company Ltd. E=boss@company.com commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request subjectAltName = @alt_names [alt_names] DNS.1 = server1.company.com DNS.2 = server2.company.com -
Sign your csr with the root CA key
openssl x509 -req -in server1.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server1.crt -days 3650 -extensions v3_req -extfile config.cnf
This command will create theserver1.crtwhich is to be used on Apache webserver.
Ok now we have the .key and .crt files. Check the cert:
openssl x509 -in server1.crt -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
87:8b:67:2d:2d:60:2c:48
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=HU, ST=Budapest, L=Budapest, OU=Technology, CN=VinczeJanosRootCA, O=Some Ltd.
Validity
Not Before: Aug 16 09:59:59 2016 GMT
Not After : Aug 14 09:59:59 2026 GMT
Subject: C=HU, ST=Budapest, L=Budapest, OU=Technology, CN=server1.company.com, O=Company Ltd.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:ed:ec:7d:b4:bf:4e:ff:3a:ab:ef:d5:a3:fd:
a1:a7:96:d0:30:c5:69:f7:a7:6c:91:ef:78:7f:03:
e9:48:f3:11:45:12:39:f6:4e:ed:79:60:df:f0:6b:
9a:59:16:7a:22:31:34:c7:10:df:a0:ca:c6:fb:6a:
ee:77:a3:6d:89:d2:b3:db:7f:f2:f9:d0:b5:5b:f2:
ed:0c:8e:03:85:5d:75:8a:de:29:dd:cd:d6:a8:7b:
8f:2c:5b:77:95:19:b9:da:42:d0:15:d5:c5:20:08:
61:83:2a:18:78:c9:1a:7c:55:df:25:ff:6a:69:53:
09:1a:22:a0:b6:98:63:09:ef:a9:3f:54:56:4d:78:
ea:2f:d7:cd:e8:58:8e:08:64:45:59:a5:c4:93:d7:
ac:b5:99:1d:5c:7a:3b:6b:85:c7:cb:33:8c:e4:b0:
bf:80:f1:cd:d7:68:70:dc:a0:ba:bd:fd:02:d3:36:
3d:11:c9:f9:71:c8:dd:2f:3f:b5:5d:8a:66:2e:34:
33:32:44:b3:49:78:5b:13:f9:8f:6f:42:d1:1f:f5:
bb:4d:6f:b1:81:42:c2:93:3c:f2:81:5d:1d:1d:19:
a4:40:e2:d1:2c:a5:2e:6d:fa:ad:ff:31:c3:65:58:
e3:ba:50:10:80:3e:53:86:ce:0e:43:df:cd:77:dd:
f9:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:server1.company.com, DNS:server2.company.com
Signature Algorithm: sha256WithRSAEncryption
af:80:32:53:42:9c:8f:9e:4f:4b:e5:05:cc:41:5b:2f:c8:68:
1d:eb:d8:8c:07:56:d3:ba:77:d4:f9:89:7e:ea:28:57:58:59:
9e:df:bd:84:eb:2a:48:06:8e:44:c6:35:52:79:4e:c7:c7:0d:
2d:4c:08:aa:5a:95:2a:10:65:7b:56:59:26:bb:fc:4e:5b:6c:
73:08:18:d0:2b:59:a2:90:78:7c:2f:1d:d7:41:4e:87:59:71:
78:87:59:8f:f9:67:33:ae:d6:77:f0:70:00:38:e5:e8:41:67:
a1:b5:1d:33:ff:8a:89:97:99:cd:6c:b2:77:01:57:03:35:a5:
25:0d:4b:19:dd:d3:ed:98:66:0a:c2:94:17:42:68:6f:2a:19:
e1:cb:d3:2e:e7:e5:3a:8b:6e:3d:86:51:e9:29:56:9e:7e:b0:
34:96:78:bf:60:8b:db:07:2a:3e:a3:2f:44:2a:70:8f:16:b2:
c8:97:31:a0:ea:53:87:48:9d:6d:e3:20:33:c3:68:2a:40:37:
06:cb:fe:4c:01:6f:a2:6a:f1:43:0f:ed:1c:84:4e:a7:4d:a7:
7d:44:21:56:46:94:2f:75:6d:cf:be:1b:46:cd:5c:ef:e6:f6:
6e:9a:53:b5:96:9a:a7:08:73:31:14:27:57:e3:66:63:cd:82:
3a:f3:e0:3c
Minimal Apache (1.4) configuration¶
Now we can create an apache self signed certificate with 3 different methods, but as result we have to have one .crt and one .key file.
This VirtualHost example redirects all http request to https, and works as a transparent proxy:
<VirtualHost *:80>
ServerName http://pve.server.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyProtocol all
DocumentRoot /var/www/html
ServerName https://pve.server.com
SSLEngine on
SSLCertificateFile /etc/apache2/cert/pve.crt
SSLCertificateKeyFile /etc/apache2/cert/pve.key
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews Indexes
AllowOverride all
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/pve-error.log
CustomLog ${APACHE_LOG_DIR}/pve-access.log combined
ProxyRequests off
ProxyPreserveHost on
ProxyPass / https://10.30.16.100:8006/
ProxyPassReverse / https://10.30.16.100:8006/
</VirtualHost>
Import you root CA key to Firefox¶
If you don't want to get a "self Signed certificate" warning in FF you can import you root ca public key to Firefox with a few easy steps.
- Go to
about:preferences, Advanced, Certificate.
And Click View Certificates. - In the pop-up window Choose Authories and click "import"
- Import your
rootCA.pemfile.
Next time you visit your website FF will trust its certificate.