PDA

View Full Version : SSL Certificates - Quick & Dirty



pigpen
21st January 2005, 04:53 PM
The Quick & Dirty Way to a Self-Signed Server Certificate


# Remove old key & certificate
rm /etc/httpd/conf/ssl.key/server.key
rm /etc/httpd/conf/ssl.crt/server.crt

# Generate new key with an EMPTY PASSPHRASE!
# Use "cd /usr/share/ssl/certs; make genkey"
# instead if you really need a passphrase
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

# Set appropriate permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key

# Now create the new certificate
cd /usr/share/ssl/certs
make testcert

# And restart Apache
/sbin/service httpd restart

I always forget this, so I thought I'll post it as a How-To.

NOTICE: This works on Fedora Core 3. Don't use this on FC4!

Artemis
21st January 2005, 06:03 PM
This is interesting, I just did a search on the internet about this subject. But it wasn't all clear to me, maybe this will help. Thanx mate!!!

breun
23rd February 2005, 12:44 AM
Excellent! Thanks.

alphonsebrown
25th June 2005, 10:57 AM
you don't mention how to create server.crt since I can't find sign.sh coming with mod_ssl I'm stuck to that part... about self-signign

breun
25th June 2005, 01:19 PM
make testcert should create the certificate for you.

alphonsebrown
25th June 2005, 01:47 PM
cd /usr/share/ssl/certs - unfortunately I don't have that folder, btw: can someone provide that sign.sh which is supposed to come with mod_ssl pls if so attach it to the forum,

I really would like to complete in that way as a start then I'll test this "testcert"


# Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

# Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):

$ ./sign.sh server.csr

This signs the server CSR and results in a server.crt file.
source: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

breun
25th June 2005, 02:14 PM
The method described above isn't compatible with the FAQ entry you quote. Don't try to mix them.

Also, on FC4 the directories for things like these have changed. See http://fedora.redhat.com/docs/release-notes/fc4/#sn-security

alphonsebrown
25th June 2005, 03:00 PM
this make genkey is not working under /etc/pki....

alphonsebrown
25th June 2005, 03:17 PM
what about that method:
openssl req \
-new \
-x509 \
-days 30 \
-keyout /usr/local/apache2/conf/ssl.key/server.key \
-out /usr/local/apache2/conf/ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'

jason_worthen
25th June 2005, 11:07 PM
maybe i dont understand the logic, but isnt it much easier to simply use genkey?

my params were:

genkey --days 365 sub.domain.com

alphonsebrown
26th June 2005, 11:12 AM
I don't know why I don't have genkey ? also why should I set it for 1 year? since it's self-signed how could it be timeless or it must have a period set?

alphonsebrown
27th June 2005, 08:24 PM
could someone comment why is that happening? I get the first two when browsing my web

ivago
1st September 2005, 09:59 AM
Hi,

I tried the above howto on a test server and it works, but now I also would like to get a 'real' certificate.. is there a howto on making a CSF (Certificate Signing Request) with FC3/4

sentry
19th January 2006, 08:55 PM
In case your wondering the genkey tool is installed as part of the crypto-utils package. genkey is far and away the easiest way to get yourself a SSL cert.

yum install crypto-utils

It walks you through everything you need to do to get a key.

mnisay
18th January 2007, 09:41 AM
i wonder why

make testcert

does not work anymore under FC1, FC5 and FC6, anyone???

but works with with FC4 .

breun
18th January 2007, 09:59 AM
Things have changed. Did you try using genkey like sentry suggests? That's really the easiest way to create a certificate now.