= Generating a Certificate Signing Request for Apache entry = Original author: Beth Mercer - 2007/04/12 == Apache/SSL installation == For a general overviews of installation see also: * [[https://www.sslshopper.com/apache-server-ssl-installation-instructions.html| Apache SSL Installation]] * [[https://www.digicert.com/ssl-certificate-installation-apache.htm| Apache SSL Certificate Installation]] === Create a RSA private key and certificate request for your Apache server === 1. Change to the target certification location {{{ $ cd [some private directory with strict permissions] }}} 1. Generate a private key, place it in PEM-format file sec-server.key which is encrypted and password-protected by a passphrase for which you will be prompted. {{{ $ /usr/local/ssl/bin/openssl genrsa -des3 -out sec-server.key 1024 }}} 1. Decrypt the contents of sec-server.key into server.key {{{ $ /usr/local/ssl/bin/openssl rsa -in sec-server.key -out server.key }}} 1. Create Certificate Signing Request using decrypted private key. {{{ $ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr $ mailx -s "Certificate Signing Request" sxccc@alaska.edu < server.csr }}} 1. As root (sudo or su) {{{ $ su $ chown root:root server.key sec-server.key $ chmod 0400 server.key sec-server.key server.csr $ cp -p server.key [installed apache dir]/conf/ssl.key $ cp -p server.csr [installed apache dir]/conf/ssl.csr }}} * In Solaris 10, the directory structure is somewhat different: {{{ $ mkdir ssl.crt $ cp -p server.key /etc/ }}} === Install the Certificate === After your certificate request is signed and a signed server certificate is returned, put the signed server certificate in server.crt. {{{ $ chmod 0400 server.crt $ cp -p server.crt [installed apache dir]/conf/ssl.crt }}} In the example below, the private key had already been generated for the edirtest and edirprep entries, so I skipped the two commands "openssl genrsa..." and "openssl rsa...". An old certificate exists, but the previous CSR has been lost and thus I can not just RENEW the exiting certificate. I need to generate a new HCF certificate, so I needed to submit a new CSR. {{{ eklutna.root> pwd /usr/local/Apache/ssl-certs eklutna.root> ls -l edir+(prep|test)* -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key eklutna.root> which openssl /usr/local/bin/openssl eklutna.root> openssl req -new -key edirprep_private.key -out edirprep.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Alaska Locality Name (eg, city) []:Fairbanks Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska Organizational Unit Name (eg, section) []:Office of Information Technology Common Name (eg, YOUR name) []:edirprep.alaska.edu Email Address []:sdts@email.alaska.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: eklutna.root> ls -altr|tail -r-------- 1 root other 1117 Dec 29 11:53 edgar_private.pem -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt -r-------- 1 root other 1387 Feb 5 15:51 edir.crt -r-------- 1 root other 948 Feb 19 11:33 egegik.crt -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt -r-------- 1 root other 948 Feb 19 11:53 edgar.crt -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr dr-------- 2 root other 1536 Apr 12 10:36 . eklutna.root> cat edirprep.csr -----BEGIN CERTIFICATE REQUEST----- MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD VQQDExNlZGlycHJlcC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4LW2ki FlIQiAmOFK3H6la8KiJguI7lwA83dqOCrcDnM50bCBNuVnmNm12y/9C3mzjw8jq+ P68CDA5S3f2DpH0RgoWgvWGqORItQ/qzw4qSxHCRbrH37F0yUoba5dQyFx0NN2gT vGtb/IJwM46GYqPpM/TrwEHER/hdwSelT8ZZAgMBAAGgADANBgkqhkiG9w0BAQQF AAOBgQAcqdVz9r3Ot+mlodIfmUAI5ztG625MwlldivzCPDhwIyOwRPLcv16/mhMU M50EOHZ1VNM1cMzTWxaGonLrTXuHWC2KawX9cNHNgL1SyGNBieKzGug+z/43OlDM BE51zB7Jsgb4kjfMlkffDkOXrXWXJkhZUW87AEZeJ+F0VeGfig== -----END CERTIFICATE REQUEST----- eklutna.root> openssl req -new -key edirtest_private.key -out edirtest.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Alaska Locality Name (eg, city) []:Fairbanks Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska Organizational Unit Name (eg, section) []:Office of Information Technology Common Name (eg, YOUR name) []:edirtest.alaska.edu Email Address []:sdts@email.alaska.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: eklutna.root> ls -altr|tail -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt -r-------- 1 root other 1387 Feb 5 15:51 edir.crt -r-------- 1 root other 948 Feb 19 11:33 egegik.crt -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt -r-------- 1 root other 948 Feb 19 11:53 edgar.crt -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr dr-------- 2 root other 1536 Apr 12 10:40 . eklutna.root> cat edirtest.csr -----BEGIN CERTIFICATE REQUEST----- MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD VQQDExNlZGlydGVzdC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9YfD3x C5D5VxY+q9TlgWec7+OtON7FxuAc8C8tRidvFHf0SrW724GXy7xcIlmQrZPXccUr uCMTSixAjmbOAOWkyHQiAC7p7azWgkmhCZa5W2sXx0pelxfkRE4psvVyUEPgvk43 1DVERKeRysuBH/hL7Yz0Owd2T0+ZN6XecmwbAgMBAAGgADANBgkqhkiG9w0BAQQF AAOBgQCagGaZoIWu5EO4BkqGytWTUTjrC6C2TzZEBXWFOeWRte4vFuPM9ORe0Uic 6UIQSWD6ftJ7Q0IFj2evdNp8SOClMcPuJwkxHvxyFRTKczBBKipUc5v8YfUqE3fA 2RFmTy4DcaFpMHlw1AREBS6wTVZuAArtv9xzndjREAEqQPqLZg== -----END CERTIFICATE REQUEST----- eklutna.root> ls -l edir+(prep|test)* -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key eklutna.root> }}}