- 1 How to Create a Self Signed SSL Key for Your Server
- 1.1 Generate the server's private key using a 1024-bit key and the RSA algorithm
- 1.2 Generate a Certificate-Signing Request
- 1.3 Fill in the required information at the prompts
- 1.4 Create a self-signed certificate from the certificate-signing request (.csr file)
- 1.5 Remove the Certificate-Signing Request
- 1.6 Move the files to Their Final Home
- 2 SSL Certificates
How to Create a Self Signed SSL Key for Your Server
Generate the server's private key using a 1024-bit key and the RSA algorithm
openssl genrsa -out server.key 1024
Generate a Certificate-Signing Request
openssl req -new -key server.key -out server.csr
Fill in the required information at the prompts
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:Palo Alto Organization Name (eg, company) [My Company Ltd]:eQuoria Networks Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :hostname.equoria.net Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : <!-- just leave these two blank for a self signing request --> An optional company name :
The really important one is the Common Name. It must match the fully qualified host name of the SSL site. Otherwise,
Note that I left the password blank. If you don't do this, Apache will prompt you for the certificate password each time you start the server.
Create a self-signed certificate from the certificate-signing request (.csr file)
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
The days option in the example is good for ten years. Your expiration can't to go past "Jan 19, 2038 04:14:07", because of the "Year 2038" bug. If you try to go beyond that date, your certificate will be expired on creation.
Remove the Certificate-Signing Request
You don't need it any more.
Move the files to Their Final Home
Put the .crt and .key files into Apache's SSL directory and configure Apache to use them. This location is normally defined in your the /etc/httpd/conf/httpd.conf file.
- gatech.edu SSL Certificates HOWTO
- Here is a link to the O'Reilly Apache Guide which covers this. Fortunately, it is the sample chapter for the book.