self signed https ssl certificate
apache ssl
OpenSSL to create self signed certificate
- Edit /etc/ssl/openssl.cnf
[ CA_default ]
dir = ./demoCA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
- Create directories.
mkdir /etc/ssl/demoCA
cd /etc/ssl/demoCA;mkdir newcerts certs crl private
touch serial index.txt crlnumber crl/ca.crl
echo 01 | tee serial | tee crlnumber
- Becoming a Certification Authority (CA)
cd /etc/ssl
openssl genrsa -des3 -out demoCA/private/cakey.pem 4096
openssl req -new -x509 -days 3650 -key demoCA/private/cakey.pem -out demoCA/cacert.pem
- Create Server Certificate
openssl genrsa -des3 -out demoCA/private/server.key 2048
openssl req -new -key demoCA/private/server.key -out demoCA/private/server.csr -days 3650
- Sign the CSR with our CA CRT
openssl ca -in demoCA/private/server.csr -out demoCA/certs/server.crt -days 3650
- Setup httpd. Edit httpd.conf and uncomment lines
LoadModule socache_shmcb_module lib64/httpd/modules/mod_socache_shmcb.so
LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
Include /etc/httpd/extra/httpd-ssl.conf
- Edit extra/httpd-ssl.conf
SSLCertificateFile /etc/ssl/demoCA/certs/server.crt
SSLCertificateKeyFile /etc/ssl/demoCA/private/server.key
SSLCertificateChainFile /etc/ssl/demoCA/certs/server.crt
SSLCACertificatePath /etc/ssl/demoCA/certs
SSLCACertificateFile /etc/ssl/demoCA/cacert.pem
SSLCARevocationPath /etc/ssl/demoCA/crl
SSLCARevocationFile /etc/ssl/demoCA/crl/ca.crl
- Remove pass-phrase on httpd startup
cd /etc/ssl/demoCA
mv private/server.key private/server.key.org
cd private
openssl rsa -in server.key.org -out server.key
cd /etc/ssl/demoCA
chmod 0400 private/*.key
- Verify that a private key matches its Certificate
openssl x509 -noout -modulus -in certs/server.crt | openssl md5 && openssl rsa -noout -modulus -in private/server.key | openssl md5
- Client Revokation. This is only needed if your server certificate is compromised (eg. someone hacked your server and stole your server.key)
openssl ca -gencrl -keyfile private/ca.key -cert certs/cacert.pem -out crl/ca.crl
openssl ca -revoke certs/server.crt -keyfile private/cakey.pem -cert certs/cacert.pem