If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.
In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.
Key, CSR and CRT File Naming Convention
I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.
- Instead of server.key, I use www.thegeekstuff.com.key
- Instead of server.csr, I use www.thegeekstuff.com.csr
- Instead of server.crt, I use www.thegeekstuff.com.crt
1. Generate Private Key on the Server Running Apache + mod_ssl
First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.
# openssl genrsa -des3 -out www.thegeekstuff.com.key 1024 Generating RSA private key, 1024 bit long modulus .......................................++++++ ...................................................++++++ e is 73547 (0x01001) Enter pass phrase for www.thegeekstuff.com.key: Verifying - Enter pass phrase for www.thegeekstuff.com.key: # ls -ltr www.thegeekstuff.* -rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key
The generated private key looks like the following.
# cat www.thegeekstuff.com.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,485B3C6371C9916E ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2 jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr -----END RSA PRIVATE KEY-----
2. Generate a Certificate Signing Request (CSR)
Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.
# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr Enter pass phrase for www.thegeekstuff.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:Los Angeles Organization Name (eg, company) [My Company Ltd]:The Geek Stuff Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []: thegeekstuff Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # ls -ltr www.thegeekstuff.* -rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key -rw-r--r-- 1 root root 664 Jun 13 20:35 www.thegeekstuff.com.csr
3. Generate a Self-Signed SSL Certificate
For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.
# openssl x509 -req -days 365 -in www.thegeekstuff.com.csr -signkey www.thegeekstuff.com.key -out www.thegeekstuff.com.crt Signature ok subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/CN=www.thegeekstuff.com Getting Private key Enter pass phrase for www.thegeekstuff.com.key: # ls -l www.thegeekstuff* -rw-r--r-- 1 root root 963 Jun 13 20:26 www.thegeekstuff.com.key -rw-r--r-- 1 root root 664 Jun 13 20:35 www.thegeekstuff.com.csr -rw-r--r-- 1 root root 879 Jun 13 20:43 www.thegeekstuff.com.crt # cat www.thegeekstuff.com.crt -----BEGIN CERTIFICATE----- haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29 -----END CERTIFICATE-----
You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.
4. Get a Valid Trial SSL Certificate (Optional)
Instead of signing it youself, you can also generate a valid trial SSL certificate from thawte. i.e Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte. Once this valid certificate works, you can either decide to purchase it from Thawte or any other SSL signing organization.
This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.
Go to Thwate trial certificate request page and do the following:
- Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
- Do not check the PKCS #7 check-box under the “configure certificate”
- Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
- Click on next at the bottom, which will give you a 21-day free trial certificate.
Copy/Paste the trial certificate to the www.thegeekstuff.com.crt file as shown below.
# cat www.thegeekstuff.com.crt -----BEGIN CERTIFICATE----- haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29 -----END CERTIFICATE-----
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about
Comments on this entry are closed.
Get a Valid free SSL Certificate with CAcert
Great post, Just a litte comment: I think we should enable mod_ssl for apache using “a2enmod ssl” and if you have time, please show us how to apply the cert to a website. Thanxxxxxx
Well written and easy to understand. I had been though this before and always found it confusing at some point or other.
Thanks for the SSL tips…however, in this article you emailed to subscribers, is also included a Google advertisement at the end, called “Do Not Buy SSL”. So I went to the linked page and sho nuff: I can get top notch SSL service absolutely free, from Comodo. If it weren’t for that little ad (and if it weren’t for my subscription to your list) I would have assumed by your article, that you must always pay for SSL.
@Aldo, Thanks for bringing CACert.org to our attention.
@thanhdat, Thanks for the mention of the a2enmod ssl. I believe all the a2* commands (a2ensite, a2dissite, a2enmod, a2dismod) are for distros based on Debian? Is that correct?
@Vimal, Thanks for your feedback. I appreciate it.
@Zeke, I’m glad it worked out for you. Like Aldo mentioned you can get free certificate from CACert.org also.
Hi good one,
any info how I can make Self Signed certificate for multi domain.
Because I have couple of web sites hosted on my server and I want to use this certificate for all of them I have found some how-toes but all of the are not working or incomplete or theya re talking about totaly different aproaches like to add in /etc/ssl/openssl.cfg:
0.commonName ….
and then
1.commonName…
2.commonName…
or the other thing is to add alter names
any ideas?
Thank
@Orlin, Regarding your question: How to create a self-signed SSL certificates for multiple domains?
When you say multi-domain, are you talking about a wildcard certificates for subdomains? i.e Same SSL certificate for dev.mydomain.com, test.mydomain.com, prod.mydomain.com? If yes, while creating the certificate using openssl, use *.mydomain.com for the common name to create a certificate for multiple sub-domains.
“use *.mydomain.com for the common name to create a certificate for multiple sub-domains”
Does this then also applies for https://mydomain.xyz – without any subdomain?
Thank you loads for the great post. Can you please advice me as to how I should use go about using the same certificate on 2 apache servers(fail over) For an instance say my primary httpd server is box1.mynet.jazz and the second one is box2.mynet.jazz. I want to use the same certificate on the box2. Am I suppose to copy the .key and the .crt files from primary(box1) on to the same location or should I generate the certificate with a different approach. I look forward to bring this concept on to my production environment so please try to advice. Much appreciated if the steps are mentioned clearly.
Im still counting on your reply Mr Ramesh! Thanks
any site that can generate CSR Certificate online?
sorry for bad eng..
Is it possible to create a single CSR for multiple domains i.e., mydomain.com, mydomain.net, mydomain.org, etc… ??
@Aldo,
CACert is great. The only “problem” is the oligarchy of commercial CAs, and the lack of inclusion of CACert’s root certificate in commercial OSes and most/all web browsers. This means I have no problem using CACert for internal services, but, it is easier to use self-signed certificate from my organizations internal CA. I would still use CACert for other purposes.
It is too much of a hassle to have non-technical users outside of my organization (i.e., anonymous site visitors) install a root certificate on their Windows and Mac desktops.
We should push for greater traction for services like CACert and get their root certificate bundled in with at least one major browser. Wikipedia states they were working on an inclusion in Mozilla-based browsers, but that the request was withdrawn.
CACert is not a trusted CA for most web-browsers. However, StartSSL provides free certificates and is a trusted CA for most browsers.
after get crt file what next step should we do? how to import it?
thanks for the great instructions… I tweaked them for 2048 and it worked like a charm 😉
Hey
Is there any difference between these two modules?
#
Do I need mod_ssl, as I can generates certificates using OpenSSL tool, I hope OpenSSL also does encryptions
PLEASE do NOT follow the steps on this page blindly. The key size specified might have been ok in 2009, but are no longer valid after October 2013 and will result in a keyexchange that will be easily broken by determined hackers.
Hi Ashok,
Is there any method to edit the existing self signed certificate in the subject field.
Can I create Static (Private IP) based certificate in Linux.?