SSL server Certificate HOWTO

wenzk

apache manual
Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it?
Here is a step-by-step description:

Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.

Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key
file and remember the pass-phrase you had to enter at a secure
location. You can see the details of this RSA private key via the
command:
$ openssl rsa -noout -text -in server.key
And you could create a decrypted PEM version (not recommended) of this RSA private key via:
$ openssl rsa -in server.key -out server.key.unsecure

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
$ openssl req -new -key server.key -out server.csr
Make
sure you enter the FQDN ("Fully Qualified Domain Name") of the server
when OpenSSL prompts you for the "CommonName", i.e. when you generate a
CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command
$ openssl req -noout -text -in server.csr

You now have to send this Certificate Signing Request (CSR) to
a Certifying Authority (CA) for signing. The result is then a real
Certificate which can be used for Apache. Here you have two options:
First you can let the CSR sign by a commercial CA like Verisign or
Thawte. Then you usually have to post the CSR into a web form, pay for
the signing and await the signed Certificate you then can store into a
server.crt file. For more information about commercial CAs have a look
at the following locations:

Verisign
http://digitalid.verisign.com/server/apacheNotice.htm

Thawte Consulting
http://www.thawte.com/certs/server/request.html

CertiSign Certificadora Digital Ltda.
http://www.certisign.com.br

IKS GmbH
http://www.iks-jena.de/produkte/ca/

Uptime Commerce Ltd.
http://www.uptimecommerce.com

BelSign NV/SA
http://www.belsign.be
Second
you can use your own CA and now have to sign the CSR yourself by this
CA. Read the next answer in this FAQ on how to sign a CSR with your CA
yourself. You can see the details of the received Certificate via the
command:
$ openssl x509 -noout -text -in server.crt

Now you have two files: server.key and server.crt. These now can be used as following inside your Apache's httpd.conf file:        SSLCertificateFile    /path/to/this/server.crt
       SSLCertificateKeyFile /path/to/this/server.key
       The server.csr file is no longer needed.
How can I create and use my own Certificate Authority (CA)?
The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this:

Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key
file and remember the pass-phrase you currently entered at a secure
location. You can see the details of this RSA private key via the
command
$ openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this private key via:
$ openssl rsa -in ca.key -out ca.key.unsecure

Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You can see the details of this Certificate via the command:
$ openssl x509 -noout -text -in ca.crt

Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.

Now you can use this CA to sign server CSR's in order to
create real SSL Certificates for use inside an Apache webserver
(assuming you already have a server.csr at hand):
$ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file.
How can I change the pass-phrase on my private key file?
You simply have to read it with the old pass-phrase and write it
again by specifying the new pass-phrase. You can accomplish this with
the following commands:
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
Here you're asked two times for a PEM pass-phrase. At the first
prompt enter the old pass-phrase and at the second prompt enter the new
pass-phrase.
How can I get rid of the pass-phrase dialog at Apache startup time?
The reason why this dialog pops up at startup and every re-start is
that the RSA private key inside your server.key file is stored in
encrypted format for security reasons. The pass-phrase is needed to be
able to read and parse this file. When you can be sure that your server
is secure enough you perform two steps:

Remove the encryption from the RSA private key (while preserving the original file):
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

Make sure the server.key file is now only readable by root:
$ chmod 400 server.key
Now server.key will contain an unencrypted copy of the
key. If you point your server at this file it will not prompt you for a
pass-phrase. HOWEVER, if anyone gets this key they will be able to
impersonate you on the net. PLEASE make sure that the permissions on
that file are really such that only root or the web server user can
read it (preferably get your web server to start as root but run as
another server, and have the key readable only by root).
As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is neither more nor less secure, of course.


本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/2389/showart_27383.html