Home | Fedora Core 4 Tutorial | Linux Tutorials | Linux Games | Linux Java | Linux Kernal | Linux Firewall | Linux Database | Linux Distributions | Linux Firewall GUI | Linux Distributions | Linux Firewall

 

 

Search Host

Monthly Fee($)
Disk Space (MB)
Register With us for Newsletter!
Visit Forum! Post Questions!
Jobs At RoseIndia.net!

Have tutorials?
Add your tutorial to our Java Resource and get tons of hits.

We offer free hosting for your tutorials. and exposure for thousands of readers. drop a mail
roseindia_net@yahoo.com 
   

Tutorials

Java Server Pages

JAXB

Java Beans

JDBC

MySQL

Java Servlets

Struts

Bioinformatics

Java Code Examples

Interview Questions
 
Join For Newsletter

Powered by groups.yahoo.com
Visit Group! Post Questions!

Web Promotion

Web Submission

Submit Sites

Manual Submission?

Web Promotion Guide

Hosting Companies

Web Hosting Guide

Web Hosting

Linux

Beginner Guide to Linux Server

Linux Distribution

Major Linux Distribution

Linux FTP Software

Frameworks

Persistence Framework

Web Frameworks

Free EAI Tools

Web Servers

Aspect Oriented Programming

Free Proxy Servers

Softwares

Adware & Spyware Remover

Open Source Softwares
Next Previous Contents

3. Working with Certificates

The following section covers the steps involved in creating the private key file, certificate signing request, and a self-signed certificate. If you plan to obtain a certificate signed by a certificate authority, you will need to create a certificate signing request (CSR). Otherwise, you can create a self-signed certificate.

3.1 Create a Private Key

To create a private key, you must have the OpenSSL toolkit installed and configured with Apache. The following examples use the OpenSSL command line tool which is located in the /usr/local/ssl/bin directory by default. The examples assume that the directory containing the OpenSSL command line tool has been added to the $PATH.

To create a private key using the triple des encryption standard (recommended), use the following command: 

openssl genrsa -des3 -out filename.key 1024

You will be prompted to enter and re-enter a pass phrase. If you choose to use triple des encryption, you will be prompted for the password each time you start the SSL server from a cold start. (When using the restart command, you will not be prompted for the password). Some of you may find this password prompt to be a nuisance, especially if you need to boot the system during off-hours. Or, you may believe that your system is already sufficiently secure. So, if you choose not to have a password prompt (hence no triple des encryption), use the command below. If you would rather create just a 512-bit key, then omit the 1024 at the end of the command and OpenSSL will default to 512 bits. Using the smaller key is slightly faster, but it is also less secure.

To create a private key without triple des encryption, use the following command: 

openssl genrsa -out filename.key 1024

To add a password to an existing private key, use the following command: 

openssl -in filename.key -des3 -out newfilename.key

To remove a password from an existing private key, use the following command: 

openssl -in filename.key -out newfilename.key

Note: Your private key will be created in the current directory unless otherwise specified. There are 3 easy ways to deal with this. If OpenSSL is in your path, you can run it from the directory that you have designated to store your key files in (default is /etc/httpd/conf/ssl.key if you installed Apache using the RPM or /usr/local/apache/conf/ssl.key if you installed Apache using the source files). Another solution is to copy the files from the directory where they were created to the correct directory. And, last but not least, you can specify the path when running the command (eg. openssl genrsa -out /etc/httpd/conf/ssl.key/filename.key 1024). Doesn't matter how you do it as long as it gets done before you proceed.

For more information on the OpenSSL toolkit check out: OpenSSL Website.

3.2 Create a Certificate Signing Request

To obtain a certificate signed by a certificate authority, you will need to create a Certificate Signing Request (CSR). The purpose is to send the certificate authority enough information to create the certificate without sending the entire private key or compromising any sensitive information. The CSR also contains the information that will be included in the certificate, such as, domain name, locality information, etc.

  • Locate the private key that you would like to creat a CSR from. Enter the following command: 
    openssl req -new -key filename.key -out filename.csr
  • You will be prompted for Locality information, common name (domain name), organizational information, etc. Check with the CA that you are applying to for information on required fields and invalid entries.
  • Send the CSR to the CA per their instructions.
  • Wait for your new certificate and/or create a self-signed certificate. A self-signed certificate can be used until you receive your certificate from the certificate authority.

Note: Use the following command to create a private key and request at the same time. 

openssl genrsa -des3 -out filename.key 1024

3.3 Creating a Self-Signed Certificate

It is not necessary to create a self-signed certificate if you are obtaining a CA-signed certificate. However, creating a self-signed certificate is very simple. All you need is a private key and the name of the server (fully qualified domain name) that you want to secure. You will be prompted for information such as locality information, common name (domain name), organizational information, etc. OpenSSL gives you a great deal of freedom here. The only required field for the certificate to function correctly is the common name (domain name) field. If this is not present or incorrect, you will receive a Certificate Name Check warning from your browser.

To create a self-signed certificate: 

openssl req -new -key filename.key -x509 -out filename.crt

3.4 Installing your Web Server Certificate

If you followed these instructions so far you shouldn't have any problems at this point. If you sent your CSR to a certificate authority and you have not gotten your certificate back yet, you can take a break now! If you are using a self-signed certificate, or you have received your certificate, you may continue.

  • Ensure that the private key file is in the directory that you have chosen to use. The following examples will be based on the RedHat RPM installation default of /etc/httpd/conf/ssl.key.
  • Ensure that the CA-signed or self-signed certificate is in its designated location. Again, I will be using the RPM default of /etc/httpd/conf/ssl.crt. If it is not there already, put it there.
  • If there is an intermediate (root) certificate to be installed, copy it to the /etc/httpd/conf/ssl.crt directory, also.
  • Now, you will be required to edit the httpd.conf file. Make a back-up of this file before you proceed to the next step, Configuring your Apache Server.

Next Previous Contents
Search Tutorials

Linux Distributions

Fedora
Slackware
SuSe
Mandrake
Knoppix
Mepis
Debian
All Distors....
 

 

 

Send your comments, Suggestions or Queries regarding this site at roseindia_net@yahoo.com.

Copyright © 2004. All rights reserved.