Building a working ssl server with openssl

chris (2004-07-26 09:24:37)
2898 views
0 replies
I installed mysql and apache using swaret, just for the fun of it. Swaret puts apache into different locations to what I'm used to. The config files are all under /etc/apache, the logs tend to reside within /var/log and the binaries are under /usr/bin - so none of the /usr/local/apache/* path is used in this setup.

Another gotcha which I found was the new location of the libssl.so. I spent ages trying to find out why it wouldn't load, then found out that newer builds of apache moved all the libraries to /usr/libexec/apache instead of /usr/libexec, so I found myself symlinking the /usr/libexec/apache/libssl.so in place of the existing libssl.so.

So once all that was over, it was just a case of bashing openssl for a bit. It's easy to make the mistake of generating a certificate without creating a csr first, thinking that csr's are only for CA-signed certs. I've seen a few cases of people omitting this stage. For a complete ssl setup I recommend the following steps:

/usr/local/bin/openssl genrsa 1024 > my.site.key (generate a key, replace my.site with foo, bar, or the fqdn of your website)

If you want to password protect your key use the following command instead of the version above. This will then require you to enter a password whenever you attempt to start apache with ssl

/usr/local/bin/openssl genrsa -des3 1024 > my.site.key

If you don't want to bother with the password protection, just use the first version of the openssl genrsa command.

The next step is the creation of a CSR. which is what you would normally send to the Certificate Authority (verisign, geotrust, equifax or whoever they might be)

/usr/local/bin/openssl genrsa -des3 1024 > my.site.key

This will then ask you to complete a load of questions as follows: Note you can leave a field blank just put entering a full stop.

# Country Name (2 letters code): GB <-- this isn't an iso 3166 code, so for Britian, you would use GB instead of UK
# State or Province Name : .
# Locality Name: London
# Organization name: My Company Ltd
# Organization Unit Name: Technical Department
# Common name: www.my.company.net (this should be the address of your website)
# Email Adress: me@mcompany.com
# A challenge password:
# An optional company name:


Now all that is complete, the certificate generation is simple. Just enter the following:

/usr/local/ssl/bin/openssl req -x509 -days 10000 -key my.site.key -in my.site.csr -out my.site.crt

All this is documented on http://www.linux-sottises.net/en_apache_install.php

christo
comment