Generating a SSL Cert for linux

Published by

Posted on December 06, 2007

Generating RSA & CSR (Signing Request)

[root@yupapa root]#
[root@yupapa root]# cd /etc/httpd/conf/ssl.key

OPTION 1: Generating a RSA private key without a passphrase (ME recommended)
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -out 1024

OPTION 2: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out 1024

You should NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically. If you have, then apache just sit there and wait for the script to input the passphrase which is a mess!
There is a method that you can disable the passphrase to prompt when you restart apache which I’ll show you later~

Next generate the CSR using the RSA Private Key

[root@yupapa /etc/httpd/conf/ssl.csr]# openssl req -new -key -out
[root@yupapa /etc/httpd/conf/ssl.csr]# mv ../ssl.csr

You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters ‘< > ~ ! @ # $ % ^ * / ( ) ?.,&’ because they will not be accepted.

Common Name: the domain for the web server (e.g.
Organization: the name of your organization (e.g. YUPAPA)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. Flanders)
State or Province: the state / province where your organzation is located (e.g New Jersey)
Country: the country where your organzation is located (e.g US)

You may be asked for emeow address and challenge challenge password. I just hit enter when I generate the csr~

Now you should have:

Make a backup copy of your private key! If you lose it, you have to purchase a new cert!

Now you should submit your csr and they will mail you the certificate.

Installing the Certificate for Apache

[root@yupapa root]# cd /etc/httpd/conf/ssl.crt

Copy the certificate that they mailed you to
Open your httpd.conf file and place the following to your virtualhost

… some config like DocumentRoot , etc..
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/

Restart apache
OPTION 1 [root@yupapa /etc/httpd/conf/ssl.crt]# apachectl restart
OPTION 2 (using the sh script) [root@yupapa /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.
[root@yupapa /etc/httpd/conf/ssl.crt]# cd ../ssl.key
[root@yupapa /etc/httpd/conf/ssl.key]# mv
[root@yupapa /etc/httpd/conf/ssl.key]# openssl rsa -in -out

And then restart apache again
[root@yupapa /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

Now you should be able to access ~ And Finally make sure those directories and files are only writable and readable by root!