Quoting Jeff ([EMAIL PROTECTED]): > If you understand how a CA works, then its easy peasy. If not, you > will need to understand how a CA works it before you dive in. > > The documentation is poor, and last I looked, there were not many > examples - it seems to still have a whiff of the arcane.
Here are my notes on the subject, stored at http://linuxmafia.com/~rick/linux-info/ssl-cert-self-signed : See also: http://www.thawte.com/support/server/apache/apache-vfaq.html http://slacksite.com/apache/certificate.html We'll generate three files, and end up using two of them. First, we generate the RSA keypair (client.key, which is in BASE64 PEM format, which is why the file often has a .pem filename extension). Then, we generate a CSR = Certificate Signing Request file (client.csr), which associates the key with the organisation's identity (specified in X.509 format, which is similar to LDAP/X.500), and could theoretically be shipped off to Verisign or another Certificate Authority (CA) to be digitally signed. Last, we have Client purport to self-sign the CSR file (in lieu of a CA), resulting in client.crt, the certificate file -- at which point client.csr can be discarded. All of this is done with the "openssl" binary. And then Apache must be configured to use the two files, and restarted. That's it. So: $ openssl genrsa -rand file1:file2[...] -out client.key 1024 You give several filespecs delimited by colons to give openssl enough entropy to work with. We're omitting the "-des3" switch, which causes the private key to be stored in symmetrically-encrypted form to protect it against being stolen by shell users, the downside of which is Client would have to supply the 3DES key to read the private key every time Apache restarts. Which is a _big_ downside, and is why almost nobody ever does it. $ openssl req -new -key client.key -out client.csr You'll be prompted for several strings to build an X.500-style Distinguished Name (two-letter country name, state, city, organisation, Apache hostname, administrative e-mail address). It's important that the hostname match what's specified in httpd.conf, or users will get a warning about the mismatch. Now, you get to generate the actual cert, and decide how many days from today's date it should expire. (In this example, we say two years = 730.) $ openssl x509 -req -days 730 -in client.csr -signkey client.key -out client.crt Last, we find the SSLCertificatFile and SSLCertificateKeyFile lines in httpd.conf, put the two client.* files in the indicated directories, edit the two httpd.conf lines, save, and restart Apache. -- Cheers, * Contributing Editor, Linux Gazette * Rick Moen -*- See the Linux Gazette in its new home: -*- [EMAIL PROTECTED] <http://linuxgazette.net/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
