Managing Certificates

After installing and configuring OpenSSL and mod_ssl, the next step for a working SSL server implementation is to create a server certificate. This section explains in detail how to create and manage certificates and keys by using the openssl command-line tool. If you are using SSL for an e-commerce site, encryption protects customer data from eavesdroppers, and the certificate enables customers to verify that you are who you claim to be.

By the Way

The examples refer to the UNIX version of the command-line program openssl. If you are running under Windows, you need to use openssl.exe instead and change the paths of the examples to use backslashes instead of forward slashes. Also, if you installed OpenSSL in a directory unlike the one listed here, simply substitute that directory in the examples.

Creating a Key Pair

You must have a public/private key pair before you can create a certificate request. Assume that the fully qualified domain name (FQDN) for the certificate you want to create is You can create the keys by issuing the following command:

# openssl genrsa --des3 -out 1024

The genrsa switch indicates to OpenSSL that you want to generate a key pair.

The -des3 switch indicates that the private key should be encrypted and protected by a pass phrase.

The -out switch indicates where to store the results.

1024 indicates the number of bits of the generated key.

The result of invoking this command looks like this:

Generating RSA private key, 1024 bit long modulus ..............++++++ .......................++++++ e is 65537 (0x10001) Enter pass phrase for

As you can see, you will be asked to provide a pass phrase; choose a secure one. The pass phrase is necessary to protect the private key, and you will be asked for it whenever you want to start the server.

By the Way

You can choose not to password-protect the key. This is convenient because you will not need to enter the pass phrase during reboots, but it is highly insecure, and a compromise of the server means a compromise of the key as well. In any case, you can choose to unprotect the key either by leaving out the -des3 switch in the generation phase or by issuing the following command:

# openssl rsa -in -out

It is a good idea to back up the file. You can learn about the contents of the key file by issuing the following command:

# openssl rsa -noout -text -in key

Elements of the key will then be displayed to you.

Creating a Certificate Signing Request

To get a certificate issued by a CA, you must submit a certificate signing request. To create a request, issue the following command:

#  req -new -key -out

You will be prompted for the certificate information, something like the following:

Using configuration from /usr/local/ssl/install/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []: San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) [] Email Address [] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

It is important that the Common Name field entry matches the address that visitors to your website will type in their browsers. This is one of the checks that the browser will perform for the remote server certificate. If the names differ, a warning indicating the mismatch will be issued to the user.

The certificate is now stored in You can learn about the contents of the certificate using the following command:

# openssl req -noout -text -in

You can submit the certificate signing request file to a CA for processing. VeriSign and Thawte are two of those CAs, but many CAs are available. You can learn more about the VeriSign and Thawte submission procedures at their websites for their products:

  • VeriSign

  • Thawte

Creating a Self-Signed Certificate

You can also create a self-signed certificate. That is, you can be both the issuer and the subject of the certificate. Although this is not useful for a commercial website, it will enable you to test your installation of mod_ssl and to have a secure web server while you wait for the official certificate from the CA.

# openssl x509 -req -days 30 -in -signkey key-out

You need to copy your certificate (either the one returned by the CA or your self-signed one) to /usr/local/ssl/openssl/certs/ and your key to /usr/local/ssl/openssl/private/.

Protect your key file by issuing the following command:

# chmod 400

This command makes the key readable only by the root user.

Sams Teach Yourself PHP, MySQL And Apache All in One
Sams Teach Yourself PHP, MySQL and Apache All in One (3rd Edition)
ISBN: 0672328739
EAN: 2147483647
Year: 2004
Pages: 327 © 2008-2017.
If you may any questions please contact us: