| | 1 | = Generating a Certificate Signing Request for Apache entry = |
| | 2 | Original author: Beth Mercer - 2007/04/12 |
| | 3 | |
| | 4 | == Apache/SSL installation == |
| | 5 | |
| | 6 | For a general overviews of installation see also: |
| | 7 | * [[https://www.sslshopper.com/apache-server-ssl-installation-instructions.html| Apache SSL Installation]] |
| | 8 | * [[https://www.digicert.com/ssl-certificate-installation-apache.htm| Apache SSL Certificate Installation]] |
| | 9 | |
| | 10 | === Create a RSA private key and certificate request for your Apache server === |
| | 11 | 1. Change to the target certification location |
| | 12 | {{{ |
| | 13 | $ cd [some private directory with strict permissions] |
| | 14 | }}} |
| | 15 | 1. Generate a private key, place it in PEM-format file sec-server.key which is encrypted and password-protected by a passphrase for which you will be prompted. |
| | 16 | {{{ |
| | 17 | $ /usr/local/ssl/bin/openssl genrsa -des3 -out sec-server.key 1024 |
| | 18 | }}} |
| | 19 | 1. Decrypt the contents of sec-server.key into server.key |
| | 20 | {{{ |
| | 21 | $ /usr/local/ssl/bin/openssl rsa -in sec-server.key -out server.key |
| | 22 | }}} |
| | 23 | 1. Create Certificate Signing Request using decrypted private key. |
| | 24 | {{{ |
| | 25 | $ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr |
| | 26 | $ mailx -s "Certificate Signing Request" sxccc@alaska.edu < server.csr |
| | 27 | }}} |
| | 28 | 1. As root (sudo or su) |
| | 29 | {{{ |
| | 30 | $ su |
| | 31 | $ chown root:root server.key sec-server.key |
| | 32 | $ chmod 0400 server.key sec-server.key server.csr |
| | 33 | $ cp -p server.key [installed apache dir]/conf/ssl.key |
| | 34 | $ cp -p server.csr [installed apache dir]/conf/ssl.csr |
| | 35 | }}} |
| | 36 | * In Solaris 10, the directory structure is somewhat different: |
| | 37 | {{{ |
| | 38 | $ mkdir ssl.crt |
| | 39 | $ cp -p server.key /etc/ |
| | 40 | }}} |
| | 41 | === Install the Certificate === |
| | 42 | After your certificate request is signed and a signed server |
| | 43 | certificate is returned, put the signed server certificate in server.crt. |
| | 44 | {{{ |
| | 45 | $ chmod 0400 server.crt |
| | 46 | $ cp -p server.crt [installed apache dir]/conf/ssl.crt |
| | 47 | }}} |
| | 48 | |
| | 49 | In the example below, the private key had already been generated for the |
| | 50 | edirtest and edirprep entries, so I skipped the two commands "openssl |
| | 51 | genrsa..." and "openssl rsa...". An old certificate exists, but the previous |
| | 52 | CSR has been lost and thus I can not just RENEW the exiting certificate. I |
| | 53 | need to generate a new HCF certificate, so I needed to submit a new CSR. |
| | 54 | |
| | 55 | {{{ |
| | 56 | eklutna.root> pwd |
| | 57 | /usr/local/Apache/ssl-certs |
| | 58 | |
| | 59 | eklutna.root> ls -l edir+(prep|test)* |
| | 60 | -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt |
| | 61 | -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key |
| | 62 | -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt |
| | 63 | -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key |
| | 64 | |
| | 65 | eklutna.root> which openssl |
| | 66 | /usr/local/bin/openssl |
| | 67 | |
| | 68 | eklutna.root> openssl req -new -key edirprep_private.key -out edirprep.csr |
| | 69 | You are about to be asked to enter information that will be incorporated |
| | 70 | into your certificate request. |
| | 71 | What you are about to enter is what is called a Distinguished Name or a DN. |
| | 72 | There are quite a few fields but you can leave some blank |
| | 73 | For some fields there will be a default value, |
| | 74 | If you enter '.', the field will be left blank. |
| | 75 | ----- |
| | 76 | Country Name (2 letter code) [AU]:US |
| | 77 | State or Province Name (full name) [Some-State]:Alaska |
| | 78 | Locality Name (eg, city) []:Fairbanks |
| | 79 | Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska |
| | 80 | Organizational Unit Name (eg, section) []:Office of Information Technology |
| | 81 | Common Name (eg, YOUR name) []:edirprep.alaska.edu |
| | 82 | Email Address []:sdts@email.alaska.edu |
| | 83 | |
| | 84 | Please enter the following 'extra' attributes |
| | 85 | to be sent with your certificate request |
| | 86 | A challenge password []: |
| | 87 | An optional company name []: |
| | 88 | |
| | 89 | eklutna.root> ls -altr|tail |
| | 90 | -r-------- 1 root other 1117 Dec 29 11:53 edgar_private.pem |
| | 91 | -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key |
| | 92 | -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt |
| | 93 | -r-------- 1 root other 1387 Feb 5 15:51 edir.crt |
| | 94 | -r-------- 1 root other 948 Feb 19 11:33 egegik.crt |
| | 95 | -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt |
| | 96 | -r-------- 1 root other 948 Feb 19 11:53 edgar.crt |
| | 97 | -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh |
| | 98 | -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr |
| | 99 | dr-------- 2 root other 1536 Apr 12 10:36 . |
| | 100 | |
| | 101 | eklutna.root> cat edirprep.csr |
| | 102 | -----BEGIN CERTIFICATE REQUEST----- |
| | 103 | MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ |
| | 104 | BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex |
| | 105 | KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD |
| | 106 | VQQDExNlZGlycHJlcC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt |
| | 107 | YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4LW2ki |
| | 108 | FlIQiAmOFK3H6la8KiJguI7lwA83dqOCrcDnM50bCBNuVnmNm12y/9C3mzjw8jq+ |
| | 109 | P68CDA5S3f2DpH0RgoWgvWGqORItQ/qzw4qSxHCRbrH37F0yUoba5dQyFx0NN2gT |
| | 110 | vGtb/IJwM46GYqPpM/TrwEHER/hdwSelT8ZZAgMBAAGgADANBgkqhkiG9w0BAQQF |
| | 111 | AAOBgQAcqdVz9r3Ot+mlodIfmUAI5ztG625MwlldivzCPDhwIyOwRPLcv16/mhMU |
| | 112 | M50EOHZ1VNM1cMzTWxaGonLrTXuHWC2KawX9cNHNgL1SyGNBieKzGug+z/43OlDM |
| | 113 | BE51zB7Jsgb4kjfMlkffDkOXrXWXJkhZUW87AEZeJ+F0VeGfig== |
| | 114 | -----END CERTIFICATE REQUEST----- |
| | 115 | |
| | 116 | eklutna.root> openssl req -new -key edirtest_private.key -out edirtest.csr |
| | 117 | You are about to be asked to enter information that will be incorporated |
| | 118 | into your certificate request. |
| | 119 | What you are about to enter is what is called a Distinguished Name or a DN. |
| | 120 | There are quite a few fields but you can leave some blank |
| | 121 | For some fields there will be a default value, |
| | 122 | If you enter '.', the field will be left blank. |
| | 123 | ----- |
| | 124 | Country Name (2 letter code) [AU]:US |
| | 125 | State or Province Name (full name) [Some-State]:Alaska |
| | 126 | Locality Name (eg, city) []:Fairbanks |
| | 127 | Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska |
| | 128 | Organizational Unit Name (eg, section) []:Office of Information Technology |
| | 129 | Common Name (eg, YOUR name) []:edirtest.alaska.edu |
| | 130 | Email Address []:sdts@email.alaska.edu |
| | 131 | |
| | 132 | Please enter the following 'extra' attributes |
| | 133 | to be sent with your certificate request |
| | 134 | A challenge password []: |
| | 135 | An optional company name []: |
| | 136 | |
| | 137 | eklutna.root> ls -altr|tail |
| | 138 | -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key |
| | 139 | -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt |
| | 140 | -r-------- 1 root other 1387 Feb 5 15:51 edir.crt |
| | 141 | -r-------- 1 root other 948 Feb 19 11:33 egegik.crt |
| | 142 | -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt |
| | 143 | -r-------- 1 root other 948 Feb 19 11:53 edgar.crt |
| | 144 | -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh |
| | 145 | -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr |
| | 146 | -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr |
| | 147 | dr-------- 2 root other 1536 Apr 12 10:40 . |
| | 148 | |
| | 149 | eklutna.root> cat edirtest.csr |
| | 150 | -----BEGIN CERTIFICATE REQUEST----- |
| | 151 | MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ |
| | 152 | BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex |
| | 153 | KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD |
| | 154 | VQQDExNlZGlydGVzdC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt |
| | 155 | YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9YfD3x |
| | 156 | C5D5VxY+q9TlgWec7+OtON7FxuAc8C8tRidvFHf0SrW724GXy7xcIlmQrZPXccUr |
| | 157 | uCMTSixAjmbOAOWkyHQiAC7p7azWgkmhCZa5W2sXx0pelxfkRE4psvVyUEPgvk43 |
| | 158 | 1DVERKeRysuBH/hL7Yz0Owd2T0+ZN6XecmwbAgMBAAGgADANBgkqhkiG9w0BAQQF |
| | 159 | AAOBgQCagGaZoIWu5EO4BkqGytWTUTjrC6C2TzZEBXWFOeWRte4vFuPM9ORe0Uic |
| | 160 | 6UIQSWD6ftJ7Q0IFj2evdNp8SOClMcPuJwkxHvxyFRTKczBBKipUc5v8YfUqE3fA |
| | 161 | 2RFmTy4DcaFpMHlw1AREBS6wTVZuAArtv9xzndjREAEqQPqLZg== |
| | 162 | -----END CERTIFICATE REQUEST----- |
| | 163 | |
| | 164 | eklutna.root> ls -l edir+(prep|test)* |
| | 165 | -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt |
| | 166 | -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr |
| | 167 | -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key |
| | 168 | -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt |
| | 169 | -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr |
| | 170 | -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key |
| | 171 | |
| | 172 | eklutna.root> |
| | 173 | }}} |
| | 174 | |