Difference between revisions of "Secure Sockets Layer"

From Organic Design wiki
m
(better process that works for Apache or NGiNX)
Line 3: Line 3:
 
  | status = in use
 
  | status = in use
 
}}</noinclude>
 
}}</noinclude>
Our convention is to keep all the certificates in ''/var/www/ssl'' along with the the SSL virtual host definition for the domain <noinclude>(see [[install a new server]] for details on Apache configuration)</noinclude>. First change the current directory to ''/var/www/ssl'' and create the certificate with the following command format. Ensure the '''common name''' (cn) is entered as a wildcard such as '''*.foo.com''' so that the certificate applies to all the sub-domains such as ''www.foo.com'' or ''webmail.foo.com'' etc.
+
Our convention is to keep all the certificates in ''/var/www/ssl'', so first change the current directory to that and create the certificate with the following command format. Ensure the '''common name''' (cn) is entered as a wildcard such as '''*.foo.com''' so that the certificate applies to all the sub-domains such as ''www.foo.com'' or ''webmail.foo.com'' etc. This certificate format will work for both [[Apache]] and [[NGiNX]].
{{code|<pre>
 
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout foo.com.key -out foo.com.csr
 
</pre>}}
 
  
 +
First we need to create a private key. Note that this process will require a pass-phrase for the key - don't worry, we'll remove it later to make things easier,
 +
{{code|<pre>openssl genrsa -des3 -out ssl.key 1024</pre>}}
  
This generates two files, the ''.csr'' is the request and the ''.key'' is the private key.
 
  
Ensure that the resulting file is accessible by the web-server:
+
Now we need to create a CSR (Certificate Signing Request):
{{code|<pre>
+
{{code|<pre>openssl req -new -key ssl.key -out ssl.csr</pre>}}
chown www-data foo.com.pem
 
</pre>}}
 
  
  
<noinclude>Check the cert with this command:
+
Now we need to remove the pass-phrase otherwise it'll prevent the web-server from restarting without it being entered (you'll need to enter the pass-phrase to remove it though),
{{code|<pre>
+
{{code|<pre>cp ssl.key ssl-pass.key
openssl s_server -cert /var/www/ssl/foo.com.pem
+
openssl rsa -in ssl-pass.key -out ssl.key</pre>}}
</pre>}}
 
  
  
The following output indicates the cert is working correctly
+
Now we can generate the actual certificate:
{{code|<pre>
+
{{code|<pre>openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt</pre>}}
Using default temp DH parameters
 
Using default temp ECDH parameters
 
ACCEPT
 
</pre>}}</noinclude>
 
 
 
== See also ==
 
*[http://pages.cs.wisc.edu/~zmiller/ca-howto/ How to set up a self-signed certificate]
 

Revision as of 10:51, 24 April 2013

Procedure.svg Secure Sockets Layer
Organic Design procedure

Our convention is to keep all the certificates in /var/www/ssl, so first change the current directory to that and create the certificate with the following command format. Ensure the common name (cn) is entered as a wildcard such as *.foo.com so that the certificate applies to all the sub-domains such as www.foo.com or webmail.foo.com etc. This certificate format will work for both Apache and NGiNX.

First we need to create a private key. Note that this process will require a pass-phrase for the key - don't worry, we'll remove it later to make things easier, 

openssl genrsa -des3 -out ssl.key 1024


Now we need to create a CSR (Certificate Signing Request): 

openssl req -new -key ssl.key -out ssl.csr


Now we need to remove the pass-phrase otherwise it'll prevent the web-server from restarting without it being entered (you'll need to enter the pass-phrase to remove it though), 

cp ssl.key ssl-pass.key
openssl rsa -in ssl-pass.key -out ssl.key


Now we can generate the actual certificate: 

openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt
Retrieved from "https://organicdesign.nz/wiki/index.php?title=Secure_Sockets_Layer&oldid=113954"