Apache and OpenSSL

My SSL Certificate for the webserver expired – so I had to generate a new one, which is a perfect topic to blog about.

Regarding SSL Certificates, there are two possibilities: you may buy an official one or you may generate your own. Due to financial reasons, I’m using the latter method, as it’s more or less for private use and not for granting my servers ID. But that’s enough chit chat – let’s go to work:

Step 1: The Private Key

We start by creating our RSA Private Key, which should be a 1024 bit RSA key. Encryption could be Triple-DES. As the key has to be stored in ASCII text, we’re using the PEM format.

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Step 2: The CSR (Certificate Signing Request)

A CSR, as the name already says is the request for the certificate, just like an application form used at any bureaucratic process for collecting information from you. Normally you’d send it to Verisign or Thawte if you want to have an official certificate for your server. But in our case, we’re processing it ourselves.

While filling in the requested data, you will stumble upon a question like that: “Common Name (e.g., YOUR name)”. It is important that you enter the fully qualified domain name of the server to be protected here. If I would run my blog through SSL, it would be ‘my.stargazer.at’.

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [AT]:AT
State or Province Name (full name) [Feldkirch]:Feldkirch
Locality Name (eg, city) [Nofels]:Nofels
Organization Name (eg, company) [My Company Ltd]:STARGAZER systems
Organizational Unit Name (eg, section) []:IT Core services
Common Name (eg, your name or your server's hostname) []:my.stargazer.at
Email Address []: *****@******.***
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Removing the password

I know, this might sound strange to you, but this step ensures, that your server is able to start up without user interaction. To understand that, you need to know, that the server key is encrypted by now, which makes it unreadable until you enter a correct passphrase. As we are starting our webserver via init script, we would be prompted for unlocking the key, which denies unattended startups. (We’re decrypting it)

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Step 4: Generating the Certificate

Now we’re generating the certificate. Regarding validity, we are using one year. After that time, we’ll be doing the same procedure again ;)

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AT/ST=Feldkirch/L=Nofels/O=STARGAZER systems/OU=IT Core services/CN=my.stargazer.at/Email=*****@******.***
Getting Private key

Step 5: Making use of the Certificate

By now our important files server.crt and server.key are ready for use. So let’s clean up the mess we have made before and copy the new files to a safe place. Yes, I am talking about backups. The configuration of the webserver itself shouldn’t be that hard. For my apache webserver, I’m extending my configuration that way:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Step 6: Restarting Apache

Finally we have to restart our webserver to apply the changes and we are ready for our first test run.


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.