Apache self signed certificate HOWTO
Tested on debian lenny
Generate the keys for the Certificate Authority (the key that will do the signing)
Code:
> openssl genrsa -des3 -out ca.key 4096
Enter secure CA password
> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
The following questions will be asked:
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:Vienna
Locality Name (eg, city) []:Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cFlex IT Services GmbH
Organizational Unit Name (eg, section) []:Internet Services
Common Name (eg, YOUR name) []:cFlex Root Certificate
Email Address []:hostmaster@cflex.at
Generate the private key for your server
Code:
> openssl genrsa -des3 -out servername.key 4096
Enter another secure password
Create a CSR (certificate signing request) to get signed by the CA
Code:
> openssl req -new -key servername.key -out servername.csr
The following questions will be asked:
Country Name (2 letter code) [AU]:AT
State or Province Name (full name) [Some-State]:Vienna
Locality Name (eg, city) []:Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cFlex IT Services GmbH
Organizational Unit Name (eg, section) []:Internet Services
Common Name (eg, YOUR name) []:*.cflex.at
Email Address []:webmaster@cflex.at
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:empty
An optional company name []:empty
Sign your csr with the key you made in the first step
Code:
> openssl x509 -req -days 3650 -in servername.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out servername.crt
Use your CA password
Optionally remove the password from your key (if you do this protect your key!!!)
Code:
> openssl rsa -in servername.key -out servername.key.nopass
Enter password
Copy certificate to /etc/apache2/ssl
If the directory does not exist, create it
cp servername.crt /etc/apache2/ssl/
cp servername.key.nopass /etc/apache2/ssl/
Make Backups!
Add these lines to your Apache config
Code:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/servername.crt
SSLCertificateKeyFile /etc/apache2/ssl/servername.key.nopass
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown