Changes between Initial Version and Version 1 of APACHE_ssl_cert_req


Ignore:
Timestamp:
12/05/14 11:46:17 (9 years ago)
Author:
lttoth@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • APACHE_ssl_cert_req

    v1 v1  
     1= Generating a Certificate Signing Request for Apache entry =    
     2    Original author:  Beth Mercer - 2007/04/12 
     3 
     4== Apache/SSL installation ==  
     5 
     6For a general overviews of installation see also:  
     7 * [[https://www.sslshopper.com/apache-server-ssl-installation-instructions.html| Apache SSL Installation]] 
     8 * [[https://www.digicert.com/ssl-certificate-installation-apache.htm| Apache SSL Certificate Installation]] 
     9 
     10=== Create a RSA private key and certificate request for your Apache server === 
     11 1. Change to the target certification location 
     12{{{ 
     13    $ cd [some private directory with strict permissions] 
     14}}} 
     15 1. Generate a private key, place it in PEM-format file sec-server.key which is encrypted and password-protected by a passphrase for which you will be prompted. 
     16{{{ 
     17    $ /usr/local/ssl/bin/openssl genrsa -des3 -out sec-server.key 1024 
     18}}} 
     19 1. Decrypt the contents of sec-server.key into server.key 
     20{{{ 
     21   $ /usr/local/ssl/bin/openssl rsa -in sec-server.key -out server.key 
     22}}} 
     23 1. Create Certificate Signing Request using decrypted private key. 
     24{{{ 
     25   $ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr 
     26   $ mailx -s "Certificate Signing Request" sxccc@alaska.edu < server.csr 
     27}}} 
     28 1. As root (sudo or su) 
     29{{{ 
     30   $ su 
     31   $ chown root:root server.key sec-server.key 
     32   $ chmod 0400 server.key sec-server.key server.csr 
     33   $ cp -p server.key [installed apache dir]/conf/ssl.key 
     34   $ cp -p server.csr [installed apache dir]/conf/ssl.csr 
     35}}} 
     36     * In Solaris 10, the directory structure is somewhat different: 
     37  {{{ 
     38      $ mkdir ssl.crt 
     39      $ cp -p server.key /etc/ 
     40  }}} 
     41=== Install the Certificate === 
     42  After your certificate request is signed and a signed server 
     43   certificate is returned, put the signed server certificate in server.crt. 
     44{{{ 
     45    $ chmod 0400 server.crt 
     46    $ cp -p server.crt [installed apache dir]/conf/ssl.crt 
     47}}} 
     48 
     49In the example below, the private key had already been generated for the 
     50edirtest and edirprep entries, so I skipped the two commands "openssl 
     51genrsa..."  and "openssl rsa...".  An old certificate exists, but the previous 
     52CSR has been lost and thus I can not just RENEW the exiting certificate.  I 
     53need to generate a new HCF certificate, so I needed to submit a new CSR. 
     54 
     55{{{ 
     56eklutna.root> pwd 
     57/usr/local/Apache/ssl-certs 
     58 
     59eklutna.root> ls -l edir+(prep|test)* 
     60-r--------   1 root     other       2948 Nov 22  2005 edirprep.crt 
     61-r--------   1 root     other        891 Nov 22  2005 edirprep_private.key 
     62-r--------   1 root     other       2948 Nov 22  2005 edirtest.crt 
     63-r--------   1 root     other        887 Nov 22  2005 edirtest_private.key 
     64 
     65eklutna.root> which openssl 
     66/usr/local/bin/openssl 
     67 
     68eklutna.root> openssl req -new -key edirprep_private.key -out edirprep.csr  
     69You are about to be asked to enter information that will be incorporated 
     70into your certificate request. 
     71What you are about to enter is what is called a Distinguished Name or a DN. 
     72There are quite a few fields but you can leave some blank 
     73For some fields there will be a default value, 
     74If you enter '.', the field will be left blank. 
     75----- 
     76Country Name (2 letter code) [AU]:US 
     77State or Province Name (full name) [Some-State]:Alaska 
     78Locality Name (eg, city) []:Fairbanks 
     79Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska 
     80Organizational Unit Name (eg, section) []:Office of Information Technology 
     81Common Name (eg, YOUR name) []:edirprep.alaska.edu 
     82Email Address []:sdts@email.alaska.edu 
     83 
     84Please enter the following 'extra' attributes 
     85to be sent with your certificate request 
     86A challenge password []: 
     87An optional company name []: 
     88 
     89eklutna.root> ls -altr|tail 
     90-r--------   1 root     other       1117 Dec 29 11:53 edgar_private.pem 
     91-r--------   1 root     other        887 Dec 29 11:55 edgar_private.key 
     92-r--------   1 root     other       1387 Feb  5 15:51 edir_2007.crt 
     93-r--------   1 root     other       1387 Feb  5 15:51 edir.crt 
     94-r--------   1 root     other        948 Feb 19 11:33 egegik.crt 
     95-r--------   1 root     other        944 Feb 19 11:35 eklutna.crt 
     96-r--------   1 root     other        948 Feb 19 11:53 edgar.crt 
     97-r-x------   1 root     other         42 Apr  6 16:13 .check-for-CNTL-M.ksh 
     98-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr 
     99dr--------   2 root     other       1536 Apr 12 10:36 . 
     100 
     101eklutna.root> cat edirprep.csr 
     102-----BEGIN CERTIFICATE REQUEST----- 
     103MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ 
     104BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex 
     105KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD 
     106VQQDExNlZGlycHJlcC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt 
     107YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4LW2ki 
     108FlIQiAmOFK3H6la8KiJguI7lwA83dqOCrcDnM50bCBNuVnmNm12y/9C3mzjw8jq+ 
     109P68CDA5S3f2DpH0RgoWgvWGqORItQ/qzw4qSxHCRbrH37F0yUoba5dQyFx0NN2gT 
     110vGtb/IJwM46GYqPpM/TrwEHER/hdwSelT8ZZAgMBAAGgADANBgkqhkiG9w0BAQQF 
     111AAOBgQAcqdVz9r3Ot+mlodIfmUAI5ztG625MwlldivzCPDhwIyOwRPLcv16/mhMU 
     112M50EOHZ1VNM1cMzTWxaGonLrTXuHWC2KawX9cNHNgL1SyGNBieKzGug+z/43OlDM 
     113BE51zB7Jsgb4kjfMlkffDkOXrXWXJkhZUW87AEZeJ+F0VeGfig== 
     114-----END CERTIFICATE REQUEST----- 
     115 
     116eklutna.root> openssl req -new -key edirtest_private.key -out edirtest.csr  
     117You are about to be asked to enter information that will be incorporated 
     118into your certificate request. 
     119What you are about to enter is what is called a Distinguished Name or a DN. 
     120There are quite a few fields but you can leave some blank 
     121For some fields there will be a default value, 
     122If you enter '.', the field will be left blank. 
     123----- 
     124Country Name (2 letter code) [AU]:US 
     125State or Province Name (full name) [Some-State]:Alaska 
     126Locality Name (eg, city) []:Fairbanks 
     127Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska 
     128Organizational Unit Name (eg, section) []:Office of Information Technology 
     129Common Name (eg, YOUR name) []:edirtest.alaska.edu 
     130Email Address []:sdts@email.alaska.edu 
     131 
     132Please enter the following 'extra' attributes 
     133to be sent with your certificate request 
     134A challenge password []: 
     135An optional company name []: 
     136 
     137eklutna.root> ls -altr|tail                                                 
     138-r--------   1 root     other        887 Dec 29 11:55 edgar_private.key 
     139-r--------   1 root     other       1387 Feb  5 15:51 edir_2007.crt 
     140-r--------   1 root     other       1387 Feb  5 15:51 edir.crt 
     141-r--------   1 root     other        948 Feb 19 11:33 egegik.crt 
     142-r--------   1 root     other        944 Feb 19 11:35 eklutna.crt 
     143-r--------   1 root     other        948 Feb 19 11:53 edgar.crt 
     144-r-x------   1 root     other         42 Apr  6 16:13 .check-for-CNTL-M.ksh 
     145-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr 
     146-rw-r--r--   1 root     other        773 Apr 12 10:40 edirtest.csr 
     147dr--------   2 root     other       1536 Apr 12 10:40 . 
     148 
     149eklutna.root> cat edirtest.csr 
     150-----BEGIN CERTIFICATE REQUEST----- 
     151MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ 
     152BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex 
     153KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD 
     154VQQDExNlZGlydGVzdC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt 
     155YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9YfD3x 
     156C5D5VxY+q9TlgWec7+OtON7FxuAc8C8tRidvFHf0SrW724GXy7xcIlmQrZPXccUr 
     157uCMTSixAjmbOAOWkyHQiAC7p7azWgkmhCZa5W2sXx0pelxfkRE4psvVyUEPgvk43 
     1581DVERKeRysuBH/hL7Yz0Owd2T0+ZN6XecmwbAgMBAAGgADANBgkqhkiG9w0BAQQF 
     159AAOBgQCagGaZoIWu5EO4BkqGytWTUTjrC6C2TzZEBXWFOeWRte4vFuPM9ORe0Uic 
     1606UIQSWD6ftJ7Q0IFj2evdNp8SOClMcPuJwkxHvxyFRTKczBBKipUc5v8YfUqE3fA 
     1612RFmTy4DcaFpMHlw1AREBS6wTVZuAArtv9xzndjREAEqQPqLZg== 
     162-----END CERTIFICATE REQUEST----- 
     163 
     164eklutna.root> ls -l edir+(prep|test)* 
     165-r--------   1 root     other       2948 Nov 22  2005 edirprep.crt 
     166-rw-r--r--   1 root     other        773 Apr 12 10:36 edirprep.csr 
     167-r--------   1 root     other        891 Nov 22  2005 edirprep_private.key 
     168-r--------   1 root     other       2948 Nov 22  2005 edirtest.crt 
     169-rw-r--r--   1 root     other        773 Apr 12 10:40 edirtest.csr 
     170-r--------   1 root     other        887 Nov 22  2005 edirtest_private.key 
     171 
     172eklutna.root>  
     173}}} 
     174