Ĩesky | english
NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Technology Knowledge Base - To Technology Knowledge Base - Overview - To Technology Knowledge Base - Server - This Article you find as well in Support for System Administrators
Creating a Simple Apache Certificate
by DanielBlack
First of all go to the mod_ssl documentation for basic mod_ssl configuration. I will not go into mod_ssl, I'll just try to show you a way to get and install a CAcert certificate.
If you just want a certificate for a single site Apache server this is probably the simplest way to get a CAcert signed certificate. For the more complicated cases please have a look at ApacheServer and VhostsApache.
- These instructions should work with Apache 2.x on Unixes and Windows. Probably also on other systems.
Once Apache is running with mod_ssl you'll have to register the domain component of your webserver (that is "example.org" for the server "www.example.org") with your CAcert account. To do this go to CAcert homepage, log in, click "Domains -> Add" and follow the instructions there. If your Domain is shown as "verified" on "Domains -> Show" you can continue and generate a certificate for your server.
Get openssl if it is not already installed on your system. If you can't find it somewhere else you can try the openssl website for a binary version for Windows.
- Generate a certificate signing request (CSR) using the command:
'''''One-Step commandline''''' openssl req -newkey rsa:4096 -subj /CN=<your sever's address here> -nodes -keyout <filename for your private key> -out <filename for the CSR>
'''''Two-Steps commandline''''' openssl genrsa -out <filename for your private key> 4096 openssl req -new -key <filename for your private key> -out <filename for the CSR>
- For example
openssl req -newkey rsa:4096 -subj /CN=www.example.org -nodes -keyout example_key.pem -out example_csr.pem
generates a CSR for the server www.example.org in the file example_csr.pem and stores the corresponding private key unencrypted in the file example_key.pem.
- While openssl script is running, fill the questions with appropiate answers
OpenSSL question
Sample Answer
Remarks
Country Name (2 letter code) [DE]:
AU
will be stripped later
State or Province Name (full name) [Some-State]:
NSW, AU
will be stripped later
Locality Name (eg, city) []:
Sydney
will be stripped later
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
@home
will be stripped later
Organizational Unit Name (eg, section) []:
will be stripped later
Common Name (e.g. server FQDN or YOUR name) []:
testserver3.mydomain.tld
will be extracted and checked later
Email Address []:
mycacertaccount.primary.email
will be extracted and checked later
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Go to CACert, log in, and select "Server certificates -> New". If a Class 3 certificate is available for you I'd advise you to select a Class 3 certificate.
Use Copy/Paste to input your CSR (the content of example_csr.pem in the above example) into the big editor box. Be sure to include the header and footer lines
-----BEGIN CERTIFICATE REQUEST-----
- and
-----END CERTIFICATE REQUEST-----
- and check that after the paste operation the request has not been truncated.
Click on "Send" and your certificate will be generated. That is, if you did not make a mistake. If you made one, read the error message, try to understand what it wants to say to you and try again while skipping the mistake.
- Use Copy/Paste with your favourite editor to save the certificate to a file (let's call the file example_cert.pem).
- Move the private key and the certificate to a convenient location. Standard Apache installations provide the directories ssl.key for the private key and ssl.crt for the certificate in the configuration directory. If you want to keep the CSR for later reference (though you probably won't need it anymore) there also is a directory named ssl.csr.
If using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments.
- Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
- Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem SSLCertificateKeyFile <Path to your key file>/example_key.pem SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem .
- This is it. Restart your Apache and see if it works!
Renewing an existing certificate
To renew the certificate of an existing Apache configuration, you need to renew the certificate through the CAcert web interface, and then replace the existing certificate (in this example, <Path to your certificate file>/example_cert.pem) with the new certificate provided.
Linking Certificates under Apache(2)
- Print out hash value
- cd /etc/ssl/certs (or /etc/ssl/private)
openssl x509 -hash -noout -in KEY
- Create symlink for certificate
ln -s -v cacert-root-2003.pem 99d0fa06.0 <- hash + .0 received in previous output, renamed root_X0F.crt to cacert-root-2003.pem
Inputs & Thoughts
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please