toucheatout 2006-03-26 01:58 Linux
Generate a self-signed x509 certificate
It is good enough if you can't or don't want to afford a "really" signed certificate (for instance at thawte, some formula get one to be obtained within hours). Yet a self-signed certificate usually saves you one warning from the browsing clients (and it gets your name on it).
You have to, when answering the questions, input the same hostname as used for the SSL webserver.
- For instance, a 1024 bits RSA
openssl genrsa 1024 > host.key;chmod 600 host.key
- Generate the certificate request, signed with the key (there you need to accurately input the right hostname when prompted for "common name"):
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.crt
In case you want to send it for official processing, omit the -key host.key part.
- Optionaly, PEM-encoded certificate (just concatenate the certificate request and the matching private key):
cat host.crt host.key > host.pem;chmod 400 host.pem
Configure apache to use the certificate
Note: apache should read as root the certificates, so ownership root:root and perms 0400 should be fine.
-
cp host.crt /usr/local/apache/conf/host.crt
cp host.key /usr/local/apache/conf/host.key
- Configure the appropriate virtualhost:
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/host.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/host.key
- Restart then apache (reload won't do it because of the certificates)
service httpd restart or /etc/init.d/{apache|httpd} restart
That should be it :) (in case the SSL/Virtualhost conf of apache is fine and other unexpected misfits ;))