Create/Enable SSL Certificates for Apache on Linux/Unix Systems eg. Redhat,Centos,Debian

Shortcut/Easiest Way To Create A Self-Signed Key:

openssl req -new -x509 -nodes -days 1530 -out server.crt -keyout server.key

Using the above, you instantly create a self-signed certificate valid for 1530 days and you can simply skip to step #5.) below.

If You Need a Real SSL Certificate (eg. Equifax/Openssl) then you need to create a CSR request (you'll need to follow Steps 1.) and 2.) in order to create the CSR.  You then upload the CSR Certificate to your SSL Provider and they will e-mail you the .crt (SSL Certificate).  Remember to keep your key from Step 1, you need the .key and .crt (from your SSL) provider to make use of your certificate.


 

1.) Create Your Private Key


openssl genrsa -out ssl-private.key 2048

(note above I didn't include the -des3 switch as that makes you choose a passphrase for your key which we don't want).

*Be sure not to lose this key file, especially if you are using the CSR request in Step 2.) to apply for a real SSL certificate

Generating RSA private key, 2048 bit long modulus
.............................................+++
..................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for ssl-private.key:
Verifying - Enter pass phrase for ssl-private.key:

2.) Create CSR Request (Certificate Signing Request)

openssl req -new -key ssl-private.key -out ssl-request.csr

Enter pass phrase for ssl-private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.) Remove Password/Passphrase From Private Key (otherwise Apache asks for the password each time you start it)

mv ssl-private.key ssl-private.key-pass
openssl rsa -in ssl-private.key-pass -out ssl-private.key

Enter pass phrase for ssl-private.key-pass:
writing RSA key

4.) Make Self Signed Certificate


openssl x509 -req -days 730 -in ssl-request.csr -signkey ssl-private.key -out ssl-certificate.crt
unable to load certificate
20243:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE

*(don't forget the -req or you'll get the above error)

5.) Place CRT & KEY inside /etc/httpd/conf/httpd.conf or edit your VHOST conf

cp ssl-private.key ssl.key/server.key
cp ssl-certificate.crt ssl.crt/server.crt

Here is what you should be inside the vhost (obviously be sure that you have the correct path and filenames):

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /etc/httpd/ssl-certs/server.crt
SSLCertificateKeyFile /etc/httpdssl-certs/server.key

*Remember to restart Apache or the new certificate won't be applied/take effect until you do.

 

 


Tags:

enable, ssl, certificates, apache, linux, unix, eg, redhat, centos, debianshortcut, easiest, openssl, req, nodes, server, crt, keyout, instantly, certificate, valid, equifax, csr, ll, upload, provider, genrsa, didn, des, passphrase, generating, rsa, modulus, phrase, verifying, incorporated, distinguished, dn, fields, default, gb, province, berkshire, locality, newbury, ltd, organizational, hostname, email, attributes, password, optional, mv, signkey, unable, pem, routines, pem_read_bio, pem_lib, etc, httpd, conf, edit, vhost, cp, filenames, sslengine, sslverifyclient, sslcertificatefile, certs, sslcertificatekeyfile, httpdssl, restart, applied,

Latest Articles

  • Cisco Unified Communication Manager (CUCM) - How To Add Phones
  • pptp / pptpd not working in DD-WRT iptables / router
  • systemd-journald high memory usage solution
  • How to Install FreePBX in Linux Debian Ubuntu Mint Guide
  • How To Install Cisco's CUCM (Cisco Unified Communication Manager) 12 Guide
  • Linux Ubuntu Redhat How To Extract Images from PDF
  • Linux and Windows Dual Boot Issue NIC Won't work After Booting Windows
  • Cisco CME How To Enable ACD hunt groups
  • How to install gns3 on Linux Ubuntu Mint
  • How to convert audio for Asterisk .wav format
  • Using Cisco CME Router with Asterisk as a dial-peer
  • Cisco CME How To Configure SIP Trunk VOIP
  • Virtualbox host Only Network Error Failed to save host network interface parameter - Cannot change gateway IP of host only network
  • Cisco CME and C7200 Router Testing and Learning Environment on Ubuntu 20+ Setup Tutorial Guide
  • Abusive IP ranges blacklist
  • How to Install Any OS on a Physical Drive from Windows Using VMware Workstation (Linux, Windows, BSD)
  • CDN Cloudflare how to set and preserve the real IP of the client without modifying application code on Apache
  • CentOS 7 fix Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=container error was 14: curl#6 -
  • Ubuntu Debian How To Install Recommended Packages Automatically
  • How to set Linux Ubuntu Redhat Debian Command Line http https socks proxy for yum apt