If you want to run your website from on HTTPS instead of HTTP, you need to get a SSL certificate from a valid organization like VeriSign or Thawte. You can also generate self-signed SSL certificate for testing purpose.

In this article we will learn how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

I will use the following naming convention in this article.

  • Instead of server.key, I use www.alexsite.com.key
  • Instead of server.csr,  I use www.alexsite.com.csr
  • Instead of server.crt,  I use www.alexsite.com.crt

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out www.alexsite.com.key 1024

Generating RSA private key, 1024 bit long modulus

……………………………………………++++++

……………………………………………++++++

e is 73547 (0x01001)

Enter pass phrase for www.alexsite.com.key:

Verifying – Enter pass phrase for www.alexsite.com.key:

 # ls -ltr www.alexsite.*

-rw-r–r– 1 root root   963 Jun 13 20:26 www.alexsite.com.key

The generated private key looks like the following.

# cat www.alexsite.com.key

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,485B3C6371C9916E

ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2

jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no

AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY

KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr

—–END RSA PRIVATE KEY—–

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key www.alexsite.com.key -out www.alexsite.com.csr

Enter pass phrase for www.alexsite.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank. For some fields there will be a default value,If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:UP

Locality Name (eg, city) [Newbury]:Noida

Organization Name (eg, company) [My Company Ltd]:Alex Ltd

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server’s hostname) []: alexsite

Email Address []:alexhunt86@live.com

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

 # ls -ltr www.alexsite.*

-rw-r–r– 1 root root   963 Jun 13 20:26 www.alexsite.com.key

-rw-r–r– 1 root root   664 Jun 13 20:35 www.alexsite.com.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in www.alexsite.com.csr -signkey www.alexsite.com.key -out www.alexsite.com.crt

Signature ok

subject=/C=IN/ST=UP/L=Noida/O=alexsite/OU=IT/CN=www.alexsite.com

Getting Private key

Enter pass phrase for www.alexsite.com.key:

 # ls -l www.alexsite*

-rw-r–r– 1 root root   963 Jun 13 20:26 www.alexsite.com.key

-rw-r–r– 1 root root   664 Jun 13 20:35 www.alexsite.com.csr

-rw-r–r– 1 root root   879 Jun 13 20:43 www.alexsite.com.crt

 # cat www.alexsite.com.crt

—–BEGIN CERTIFICATE—–

haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB

kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ

kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29

—–END CERTIFICATE—–

4. Get a Valid Trial SSL Certificate (Optional)

Instead of signing it yourself, you can also generate a valid trial SSL certificate from Thawte. I.e. Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte.

This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.

Go to Thwate trial certificate request page and do the following:

  • Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
  • Do not check the PKCS #7 check-box under the “configure certificate”
  • Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
  • Click on next at the bottom, which will give you a 21-day free trial certificate.
Posted in: Linux.
Last Modified: January 12, 2017

Leave a reply