| Version 1 (modified by lttoth@…, 10 years ago) (diff) |
|---|
Generating a Certificate Signing Request for Apache entry
Original author: Beth Mercer - 2007/04/12
Apache/SSL installation
For a general overviews of installation see also:
Create a RSA private key and certificate request for your Apache server
- Change to the target certification location
$ cd [some private directory with strict permissions]
- Generate a private key, place it in PEM-format file sec-server.key which is encrypted and password-protected by a passphrase for which you will be prompted.
$ /usr/local/ssl/bin/openssl genrsa -des3 -out sec-server.key 1024
- Decrypt the contents of sec-server.key into server.key
$ /usr/local/ssl/bin/openssl rsa -in sec-server.key -out server.key
- Create Certificate Signing Request using decrypted private key.
$ /usr/local/ssl/bin/openssl req -new -key server.key -out server.csr $ mailx -s "Certificate Signing Request" sxccc@alaska.edu < server.csr
- As root (sudo or su)
$ su $ chown root:root server.key sec-server.key $ chmod 0400 server.key sec-server.key server.csr $ cp -p server.key [installed apache dir]/conf/ssl.key $ cp -p server.csr [installed apache dir]/conf/ssl.csr
- In Solaris 10, the directory structure is somewhat different:
$ mkdir ssl.crt $ cp -p server.key /etc/
- In Solaris 10, the directory structure is somewhat different:
Install the Certificate
After your certificate request is signed and a signed server
certificate is returned, put the signed server certificate in server.crt.
$ chmod 0400 server.crt $ cp -p server.crt [installed apache dir]/conf/ssl.crt
In the example below, the private key had already been generated for the edirtest and edirprep entries, so I skipped the two commands "openssl genrsa..." and "openssl rsa...". An old certificate exists, but the previous CSR has been lost and thus I can not just RENEW the exiting certificate. I need to generate a new HCF certificate, so I needed to submit a new CSR.
eklutna.root> pwd /usr/local/Apache/ssl-certs eklutna.root> ls -l edir+(prep|test)* -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key eklutna.root> which openssl /usr/local/bin/openssl eklutna.root> openssl req -new -key edirprep_private.key -out edirprep.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Alaska Locality Name (eg, city) []:Fairbanks Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska Organizational Unit Name (eg, section) []:Office of Information Technology Common Name (eg, YOUR name) []:edirprep.alaska.edu Email Address []:sdts@email.alaska.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: eklutna.root> ls -altr|tail -r-------- 1 root other 1117 Dec 29 11:53 edgar_private.pem -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt -r-------- 1 root other 1387 Feb 5 15:51 edir.crt -r-------- 1 root other 948 Feb 19 11:33 egegik.crt -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt -r-------- 1 root other 948 Feb 19 11:53 edgar.crt -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr dr-------- 2 root other 1536 Apr 12 10:36 . eklutna.root> cat edirprep.csr -----BEGIN CERTIFICATE REQUEST----- MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD VQQDExNlZGlycHJlcC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4LW2ki FlIQiAmOFK3H6la8KiJguI7lwA83dqOCrcDnM50bCBNuVnmNm12y/9C3mzjw8jq+ P68CDA5S3f2DpH0RgoWgvWGqORItQ/qzw4qSxHCRbrH37F0yUoba5dQyFx0NN2gT vGtb/IJwM46GYqPpM/TrwEHER/hdwSelT8ZZAgMBAAGgADANBgkqhkiG9w0BAQQF AAOBgQAcqdVz9r3Ot+mlodIfmUAI5ztG625MwlldivzCPDhwIyOwRPLcv16/mhMU M50EOHZ1VNM1cMzTWxaGonLrTXuHWC2KawX9cNHNgL1SyGNBieKzGug+z/43OlDM BE51zB7Jsgb4kjfMlkffDkOXrXWXJkhZUW87AEZeJ+F0VeGfig== -----END CERTIFICATE REQUEST----- eklutna.root> openssl req -new -key edirtest_private.key -out edirtest.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Alaska Locality Name (eg, city) []:Fairbanks Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Alaska Organizational Unit Name (eg, section) []:Office of Information Technology Common Name (eg, YOUR name) []:edirtest.alaska.edu Email Address []:sdts@email.alaska.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: eklutna.root> ls -altr|tail -r-------- 1 root other 887 Dec 29 11:55 edgar_private.key -r-------- 1 root other 1387 Feb 5 15:51 edir_2007.crt -r-------- 1 root other 1387 Feb 5 15:51 edir.crt -r-------- 1 root other 948 Feb 19 11:33 egegik.crt -r-------- 1 root other 944 Feb 19 11:35 eklutna.crt -r-------- 1 root other 948 Feb 19 11:53 edgar.crt -r-x------ 1 root other 42 Apr 6 16:13 .check-for-CNTL-M.ksh -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr dr-------- 2 root other 1536 Apr 12 10:40 . eklutna.root> cat edirtest.csr -----BEGIN CERTIFICATE REQUEST----- MIICATCCAWoCAQAwgcAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZBbGFza2ExEjAQ BgNVBAcTCUZhaXJiYW5rczEdMBsGA1UEChMUVW5pdmVyc2l0eSBvZiBBbGFza2Ex KTAnBgNVBAsTIE9mZmljZSBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRwwGgYD VQQDExNlZGlydGVzdC5hbGFza2EuZWR1MSQwIgYJKoZIhvcNAQkBFhVzZHRzQGVt YWlsLmFsYXNrYS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN9YfD3x C5D5VxY+q9TlgWec7+OtON7FxuAc8C8tRidvFHf0SrW724GXy7xcIlmQrZPXccUr uCMTSixAjmbOAOWkyHQiAC7p7azWgkmhCZa5W2sXx0pelxfkRE4psvVyUEPgvk43 1DVERKeRysuBH/hL7Yz0Owd2T0+ZN6XecmwbAgMBAAGgADANBgkqhkiG9w0BAQQF AAOBgQCagGaZoIWu5EO4BkqGytWTUTjrC6C2TzZEBXWFOeWRte4vFuPM9ORe0Uic 6UIQSWD6ftJ7Q0IFj2evdNp8SOClMcPuJwkxHvxyFRTKczBBKipUc5v8YfUqE3fA 2RFmTy4DcaFpMHlw1AREBS6wTVZuAArtv9xzndjREAEqQPqLZg== -----END CERTIFICATE REQUEST----- eklutna.root> ls -l edir+(prep|test)* -r-------- 1 root other 2948 Nov 22 2005 edirprep.crt -rw-r--r-- 1 root other 773 Apr 12 10:36 edirprep.csr -r-------- 1 root other 891 Nov 22 2005 edirprep_private.key -r-------- 1 root other 2948 Nov 22 2005 edirtest.crt -rw-r--r-- 1 root other 773 Apr 12 10:40 edirtest.csr -r-------- 1 root other 887 Nov 22 2005 edirtest_private.key eklutna.root>
