SSL Certificates - Quick & Dirty

[pigpen]

The Quick & Dirty Way to a Self-Signed Server Certificate

Quote:

# Remove old key & certificate
rm /etc/httpd/conf/ssl.key/server.key
rm /etc/httpd/conf/ssl.crt/server.crt

# Generate new key with an EMPTY PASSPHRASE!
# Use "cd /usr/share/ssl/certs; make genkey"
# instead if you really need a passphrase
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

# Set appropriate permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

# Now create the new certificate
cd /usr/share/ssl/certs
make testcert

# And restart Apache
/sbin/service httpd restart

I always forget this, so I thought I'll post it as a How-To.

NOTICE: This works on Fedora Core 3. Don't use this on FC4!

[Artemis]

This is interesting, I just did a search on the internet about this subject. But it wasn't all clear to me, maybe this will help. Thanx mate!!!

[breun]

Excellent! Thanks.

[alphonsebrown]

you don't mention how to create server.crt since I can't find sign.sh coming with mod_ssl I'm stuck to that part... about self-signign

[breun]

make testcert should create the certificate for you.

[alphonsebrown]

cd /usr/share/ssl/certs - unfortunately I don't have that folder, btw: can someone provide that sign.sh which is supposed to come with mod_ssl pls if so attach it to the forum,

I really would like to complete in that way as a start then I'll test this "testcert"

Quote:

# Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

# Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):

$ ./sign.sh server.csr

This signs the server CSR and results in a server.crt file.

source: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

[breun]

The method described above isn't compatible with the FAQ entry you quote. Don't try to mix them.

Also, on FC4 the directories for things like these have changed. See http://fedora.redhat.com/docs/releas...4/#sn-security

[alphonsebrown]

this make genkey is not working under /etc/pki....

[alphonsebrown]

what about that method:
openssl req \
-new \
-x509 \
-days 30 \
-keyout /usr/local/apache2/conf/ssl.key/server.key \
-out /usr/local/apache2/conf/ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'

[jason_worthen]

maybe i dont understand the logic, but isnt it much easier to simply use genkey?

my params were:

genkey --days 365 sub.domain.com

[alphonsebrown]

I don't know why I don't have genkey ? also why should I set it for 1 year? since it's self-signed how could it be timeless or it must have a period set?

[alphonsebrown]

could someone comment why is that happening? I get the first two when browsing my web

[ivago]

Hi,

I tried the above howto on a test server and it works, but now I also would like to get a 'real' certificate.. is there a howto on making a CSF (Certificate Signing Request) with FC3/4

[sentry]

In case your wondering the genkey tool is installed as part of the crypto-utils package. genkey is far and away the easiest way to get yourself a SSL cert.

yum install crypto-utils

It walks you through everything you need to do to get a key.

[mnisay]

i wonder why

make testcert

does not work anymore under FC1, FC5 and FC6, anyone???

but works with with FC4 .