~ overflow ~

Problem:

how to generate a ssl certificate to integrate with apache’s mod_ssl?

Solution:

You will need OpenSSL.

First step – Generate a RSA Private Key.

Use random files as seed.

openssl genrsa -des3 -rand  file1:file2:file3:file4:file5 -out server.key 1024

openssl will ask you for a password, don’t forget it cuz your key will be useless without it.

— Stolen Text Begins:

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

openssl rsa -in server.key -out server.pem

— Stolen text ends.

Now you need to generate a CSR that will be sent to the Certificate Authority that will verify and i$$ue a signed certificate. Now you will need to fill lots of fields, make sure you write them down, sometimes the CA asks for the info to see if it matches.

openssl req -new -key server.key -out server.csr

Generating a Self-Signed Certificate

Now that your have your csr you may want to test it on your local server, or if you want to actually buy a signed certificate you can just send the server.csr file to your beloved CA. Note that generating self-signed certificates will show an error on client’s browser, since your’re not a trusted entity.

openssl x509 -req -days 60 -in server.csr -signkey  server.key -out server.crt

This will generate a 60 days self-signed certificate.

And now…

You just need to add it to apache!

Usually apache has a ssl.conf or a httpd-ssl.conf file as examples, just copy the .crt, .csr and .key file to the folders there.

There’s also a simple example of doing a implementation of ssl on a domain:

 <IfDefine SSL>

 <VirtualHost _default_:443>
 ServerAdmin webmaster@domain.com
 DocumentRoot /usr/local/apache/share/htdocs
 ServerName www.domain.com
 ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/
 SSLEngine on
 SSLCertificateFile    /usr/local/apache/etc/ssl.crt/server.crt
 SSLCertificateKeyFile /usr/local/apache/etc/ssl.key/server.pem
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 CustomLog /usr/local/apache/var/log/ssl_request_log \"%t %h  %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>

 </IfDefine>

…also stolen from the same site.

Notes:

DO NOT use OpenSSL for windows, it has sucked for me.

If you are using this on windows and when starting apache you get:

Init: SSLPassPhraseDialog builtin is not supported on Win32

Remove the password from your server.key file by:

cp server.key server.key.bak

openssl rsa -in server.key.bak -out server.key

Source:

Slacksite.com