Obtaining a Server Certificate Using OpenSSL

Generate public/private key pair

  % openssl genrsa -des3 -out server.key 1024 
  Generating RSA private key, 1024 bit long modulus
  .................+++++
  ..................................................+++++
  e is 65537 (0x10001)
  Enter PEM pass phrase: ******
  Verifying password - Enter PEM pass phrase: *****

Generate Certificate Signing Request

 % openssl req -new -key server.key -out server.csr
 Using configuration from /usr/local/openssl/openssl.cnf
 Enter PEM pass phrase: ******
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:New York
 Locality Name (eg, city) []:Cold Spring Harbor
 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Cold Spring Harbor Laboratory
 Organizational Unit Name (eg, section) []: Information Services
 Common Name (eg, YOUR name) []:www.cshl.org
 Email Address []:lstein@cshl.org

Convince a Certificate Authority to Sign your Certificate

Submit the server.csr file to Verisign or Thawte for signing (and pay the fee). They will eventually mail you back a signed certificate.

Install private key and signed certificate

Put the private key (server.key) and the signed certificate (server.crt) somewhere safe, and point Apache at them:

httpd.conf: 
   Listen 443                         # listen to the default SSL port
   <VirtualHost _default_:443>  # host config for 443 requests
     SSLEngine on
     SSLCertificateFile     conf/server.crt
     SSLCertificateKeyFile  conf/server.key
   </VirtualHost>

Restart the Server

OK, you're done!

<< Previous Contents >> Next >>
Lincoln D. Stein, lstein@cshl.org
Cold Spring Harbor Laboratory
Last modified: Sun Jul 16 22:30:03 PDT 2000