-=- HOWTO HTTPS -=- ===================================== - How to make your certificate by Christophe Lucas - 1. MAKE A SELF CERTIFICATE ~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out ca.key 1024 Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You can see the details of this Certificate via the command: $ openssl x509 -noout -text -in ca.crt Here you must use a different CN Name than the FQDN web server. 2. MAKE SERVER CERTIFICATE ~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out server.key 1024 Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): $ openssl req -new -key server.key -out server.csr Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command $ openssl req -noout -text -in server.csr After, you copy ca.crt in /etc/ssl/cert/. And the ca.key in /etc/ssl/private/ $ chmod 400 /etc/ssl/private/ca.key 3. SIGN OUR CA BY SELF CA ~~~~~~~~~~~~~~~~~~~~~~~~~ To sign your CA Web server with our self generated CA: $ cd /etc/ssl $ sign-certificate.sh /where/csr/is/server.csr sign-certificate.sh can be download on http://extranet.mcom.fr/stuff/sign-certificate.sh 4. MAKE START HTTPD WITHOUT PASSPHRASE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Then put our CRT, CSR, KEY in ssl directory in apache conf dir. $ cp server.crt /etc/apache/ssl.crt/ $ cp server.csr /etc/apache/ssl.csr/ $ cp server.key /etc/apache/ssl.key/ SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key must be defined in you . Now you should be able to launch your httpd with SSL extension, but ... All times your server is power on, httpd will ask your for the server passphrase. So, we could keep it out with : $ cd /etc/apache/ssl.key/ $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key Make sure the server.key file is now only readable by root: $ chmod 400 server.key 5. That's all folks ~~~~~~~~~~~~~~~~~~~ Yeah, now you can do : $ apachectl stop $ apachectl startssl