Apache SSL: Creating a Certificate

Installing Apache and OpenSSL separately. This page is only for installing Apache and OpenSSL separately. Installing from the package starts on page 2 and completes on page 6.

1. Creating a Certificate Request. You now have to create a certificate to be used when clients connect to your server using https. The first step in obtaining a SSL certificate is to create a certificate request. Open the command window and navigate to the location of Apache/modssl. Type in openssl req -config openssl.cnf -new -out my-server.csr. This will create the certificate request and a private key.

You will be prompted to enter a PEM pass phrase and then to verify it. Enter 12345 or you can enter your own pass phrase. This is used to protect your private key from being read or modified by an unauthorized individual.

Now you must enter the information that will be entered into your certificate. Enter the geographical, organizational, and contact information. You will also be prompted to enter extra attributes, which is a challenge password that will be sent with your certificate. Enter test or create your own password. Press Enter to create your certificate request.

When asked for the Common Name or the Domain Name, give the exact domain name of your server. If the name does not match browsers will produce a warning message about the name mismatch when clients visit the site.

2. Remove Pass Phrase. Now you need to remove the pass phrase from the private key you just created. Your private key should only be readable by the Apache server and the administrator, which is done using the pass phrase. Enter openssl rsa -in privkey.pem -out my-server.key to remove the pass phrase from the private key.

You will be prompted for the pass phrase you created from your private key to complete the task. Enter 12345 or the pass phrase you created and press Enter to continue. The output is your private key without the pass phrase attached.

You should also delete the .rnd file created in the Apache/modssl bin folder because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

3. Creating a Certificate. Now you can create your certificate using the certificate request you generated earlier. This certificate will be self signed. Enter openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

4. Importing your Certificate and Key. To import your key and certificate into apache you must create a folder to hold them, which will be ssl. Create the ssl folder under Apache/Apache2/conf and copy my-server.key and my-server.cert into it. Your key and certificate was created in Apache/modssl under the bin folder.