Difference between revisions of "Secure Sockets Layer"
m |
|||
Line 3: | Line 3: | ||
| status = in use | | status = in use | ||
}}</noinclude> | }}</noinclude> | ||
− | Our convention is to keep all the certificates in ''/var/www/ssl'' | + | Our convention is to keep all the certificates in ''/var/www/ssl'', so first change the current directory to that and create the certificate with the following command format. Ensure the '''common name''' (cn) is entered as a wildcard such as '''*.foo.com''' so that the certificate applies to all the sub-domains such as ''www.foo.com'' or ''webmail.foo.com'' etc. This certificate format will work for both [[Apache]] and [[NGiNX]]. |
− | |||
− | |||
− | |||
+ | First we need to create a private key. Note that this process will require a pass-phrase for the key - don't worry, we'll remove it later to make things easier, | ||
+ | {{code|<pre>openssl genrsa -des3 -out ssl.key 1024</pre>}} | ||
− | |||
− | + | Now we need to create a CSR (Certificate Signing Request): | |
− | {{code|<pre> | + | {{code|<pre>openssl req -new -key ssl.key -out ssl.csr</pre>}} |
− | |||
− | </pre>}} | ||
− | + | Now we need to remove the pass-phrase otherwise it'll prevent the web-server from restarting without it being entered (you'll need to enter the pass-phrase to remove it though), | |
− | {{code|<pre> | + | {{code|<pre>cp ssl.key ssl-pass.key |
− | openssl | + | openssl rsa -in ssl-pass.key -out ssl.key</pre>}} |
− | </pre>}} | ||
− | + | Now we can generate the actual certificate: | |
− | {{code|<pre> | + | {{code|<pre>openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt</pre>}} |
− | |||
− | |||
− | |||
− | </pre>}} | ||
− | |||
− | |||
− |
Revision as of 10:51, 24 April 2013
Secure Sockets Layer Organic Design procedure |
Our convention is to keep all the certificates in /var/www/ssl, so first change the current directory to that and create the certificate with the following command format. Ensure the common name (cn) is entered as a wildcard such as *.foo.com so that the certificate applies to all the sub-domains such as www.foo.com or webmail.foo.com etc. This certificate format will work for both Apache and NGiNX.
First we need to create a private key. Note that this process will require a pass-phrase for the key - don't worry, we'll remove it later to make things easier,
Now we need to create a CSR (Certificate Signing Request):
Now we need to remove the pass-phrase otherwise it'll prevent the web-server from restarting without it being entered (you'll need to enter the pass-phrase to remove it though),
Now we can generate the actual certificate: