How to generate your own self-signed certificate, and How to install a certificate to use with your secure server.
The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in /etc/httpd/conf/httpd.conf. This statement is included by default in the default Apache HTTP Server configuration file.
Creating a Self-Signed Certificate
You can create your own self-signed certificate. Note that a self-signed certificate does not provide the security guarantees of a CA-signed certificate.To make your own self-signed certificate, first create a random key using the instructions provided in Section 27.6 Generating a Key. Once you have a key, make sure you are in the /usr/share/ssl/certs directory, and type the following command:
Step1 :- make testcert
The following output is shown, and you are prompted for your passphrase (unless you generated a key without a passphrase):
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:
After you enter your passphrase (or without a prompt if you created a key without a passphrase), you are asked for more information. The computer's output and a set of inputs looks like the following (provide the correct information for your organization and host):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:India
State or Province Name (full name) [Berkshire]:Hyd
Locality Name (eg, city) [Newbury]:Cloud Network
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:IT Networking
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com
After you provide the correct information, a self-signed certificate is created in /etc/httpd/conf/ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command:
Step2 :- /sbin/service httpd restart
Generating a Certificate Request to Send to a CA
Once you have created a key, the next step is to generate a certificate request which you need to send to the CA of your choice. Make sure you are in the /usr/share/ssl/certs directory, and type in the following command:Step3 :- make certreq
Your system displays the following output and asks you for your passphrase (unless you disabled the passphrase option):
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:
Type in the passphrase that you chose when you were generating your key. Your system displays some instructions and then ask for a series of responses from you. Your inputs are incorporated into the certificate request. The display, with example responses, looks similar to the following:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:India
State or Province Name (full name) [Berkshire]:Hyd
Locality Name (eg, city) [Newbury]:Cloud Network
Organization Name (eg, company) [My Company Ltd]:Test Company
Organizational Unit Name (eg, section) []:Testing
Common Name (your name or server's hostname) []:test.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Ggenerating a Key
You must be root to generate a key.
First, cd to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
Step4 :- rm ssl.key/server.key
Step5 :- rm ssl.crt/server.crt
Next, you need to create your own random key. Change to the /usr/share/ssl/certs/ directory, and type in the following command:
Step6 :- make genkey
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
First, cd to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
Step4 :- rm ssl.key/server.key
Step5 :- rm ssl.crt/server.crt
Next, you need to create your own random key. Change to the /usr/share/ssl/certs/ directory, and type in the following command:
Step6 :- make genkey
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
Note :- You need to remember and enter this passphrase every time you start your secure server, so do not forget it.
Re-type the passphrase to verify that it is correct
Step7 :- /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
Then use the following command to make sure the permissions are set correctly for the file:
Step8 :- chmod go-rwx /etc/httpd/conf/ssl.key/server.key
Step7 :- /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
Then use the following command to make sure the permissions are set correctly for the file:
Step8 :- chmod go-rwx /etc/httpd/conf/ssl.key/server.key
Caution : -Disabling the passphrase feature for your secure server is a security risk. It is NOT recommend that you disable the passphrase feature for secure server.
Testing The Certificate
To test the test certificate installed by default, a CA-signed certificate, and a self-signed certificate, point your Web browser to the following home page (replacing server.example.com with your domain name):https://server.example.com
Note :- the s after http. The https: prefix is used for secure HTTP transactions.
Using Pre-Existing Keys and Certificates
If you already have an existing key and certificate (for example, if you are installing the secure server to replace another company's secure server product), you can probably be able to use your existing key and certificate with the secure server. In the following two situations, you are not able to use your existing key and certificate:
If you are changing your IP address or domain name — Certificates are issued for a particular IP address and domain name pair. You must get a new certificate if you are changing your IP address or domain name.
If you have a certificate from VeriSign and you are changing your server software — VeriSign is a widely used CA. If you already have a VeriSign certificate for another purpose, you may have been considering using your existing VeriSign certificate with your new secure server. However, you are not be allowed to because VeriSign issues certificates for one specific server software and IP address/domain name combination.
If you change either of those parameters (for example, if you previously used a different secure server product), the VeriSign certificate you obtained to use with the previous configuration will not work with the new configuration. You must obtain a new certificate.
If you have an existing key and certificate that you can use, you do not have to generate a new key and obtain a new certificate. However, you may need to move and rename the files which contain your key and certificate.
Move your existing key file to:
Step9 :- /etc/httpd/conf/ssl.key/server.key
Move your existing certificate file to:
Step10 :- /etc/httpd/conf/ssl.crt/server.crt
After you have moved your key and certificate, skip to Section 27.9 Testing The Certificate.
If you are upgrading from the Red Hat Secure Web Server, your old key (httpsd.key) and certificate (httpsd.crt) are located in /etc/httpd/conf/. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
Step11 :- mv /etc/httpd/conf/httpsd.key /etc/httpd/conf/ssl.key/server.key
Step12 :- mv /etc/httpd/conf/httpsd.crt /etc/httpd/conf/ssl.crt/server.crt
Then start your secure server with the command:
Step13 :- /sbin/service httpd start
For a secure server, you are prompted to enter your passphrase. After you type it in and press [Enter], the server starts.
