Jason,
Here is something I pulled off of devshed a while back. The tarball
contains the images referenced on the page.
-Chuck
On Wed, 2004-11-17 at 11:59, Jason Kretzer wrote:
> Hello all,
>
> I am setting up an Apache/Tomcat web server running on
> Mandrake. I have a standard web site set up. I would
> like to add a password protected portion to the
> website for family use. As this portion would have
> personal pictures and information, I would like to use
> SSL to encrypt the username/password transaction.
> Would it be possible to set this up without having to
> pay for a certificate from verisign or something
> similar?
>
> I think I read somewhere that you can create your own
> certificate and that the only drawback is that a
> dialog will pop up asking the user if the certificate
> is trusted or not.
>
> How does one go about this? links and answers very
> much appreicated.
>
> Thanks,
>
> -Jason
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
> ---------
> You may unsubscribe from this mailing list
> by sending a blank email addressed to:
> users-unsubscribe@xxxxxxxxxx
>
> --
> Find additional help by sending a blank email
> addressed to:
> users-help@xxxxxxxxxx
>
Here is a step-by-step description on how to create certificates.
Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM
formatted):
# openssl genrsa -des3 -out server.key 1024
Please backup the new server.key file at a secure location. Remember the pass-phrase you entered! You can see the details
of this RSA private key via the command:
# openssl rsa -noout -text -in server.key
And you could create a decrypted PEM version (not recommended) of this RSA private key via:
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the
"CommonName", i.e. when you generate a CSR for a web site which will be later accessed via https://www.foo.dom/,
enter "www.foo.dom" here. You can see the details of this CSR via the command:
# openssl req -noout -text -in server.csr
Here you have 2 options:
Send it off to a CA You can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into
a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more
information about commercial CAs have a look at the following sites:
Be Your own CA You can also use your own CA and sign the CSR yourself by this CA. You can create your own Certificate Authority
for signing certificates. The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual
answer is this:
Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
# openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key file at a secure location. Ramember the pass-phrase you entered . You can see the details of
this RSA private key via the command:
# openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this private key via:
# openssl rsa -in ca.key -out ca.key.unsecure
Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
You can see the details of this Certificate via the command:
# openssl x509 -noout -text -in ca.crt
Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and
the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is
distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache web
server (assuming you already have a server.csr at hand):
# ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
Now you have two files: server.key and server.crt. Use them as following inside your Apache's httpd.conf file:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
The server.csr file is no longer needed. See the instructions above to see a better example.
