freemode.net

Apache + mod_ssl cert    [ Software ]

Finally got around to configuring Apache + mod_ssl at home, and found a real quick way to generate a (passwordless, to avoid stalling the server for console input on a reboot - found that out the hard way after a power failure) self-signed cert:

1. Generate a key.

# openssl genrsa 1024 > servername.key

for a passwordless key, or:

# openssl genrsa -des3 1024 > servername.key

for a password-protected key that you'll need to type in on the console on bootup or whenever Apache restarts. You can insert:

SSLPassPhraseDialog exec:/path/to/your/password/program

in your httpd.conf for Apache, but it may be simpler to have an unpassworded key than to call a program to feed a password to Apache.

2. Create a CSR file for the request.

# openssl req -new -key servername.key -out servername.csr

[ punch in your ISO 2-letter country code, region/state, org, ou, server's FQDN for the "Common Name" portion, email add'y, plus other optional fields ]

3. Grant the request and generate a CRT file.

# openssl req -x509 -days 730 -key servername.key -in servername.csr -out servername.crt

[ use whatever arbitrary number you want for the -days, but 2 years works well ]

Point the appropriate parts of your httpd.conf to use the servername.key and servername.crt, and hey presto, you've got a self-signed certificate for SSL operations.   Check out one of the many excellent Apache + mod_ssl tutorials that exist for more details on configuration.

Posted by edobbs at July 8, 2003 09:59 PM