How to generate Certificate Signing Request (CSR) for Apache with OpenSSL / HTTPS

Here I share how to generate a Certificate Signing Request (CSR) for Apache with OpenSSL (HTTPS). Lets us see, how to do so, step by step:

     1.       Create a directory for SSL
            a.        mkdir  –p /etc/httpd/ssl
            b.       cd  /etc/httpd/ssl

     2.       Generating private key
            a.       openssl genrsa -des3 -out <domain name>.key 2048


Note: you will be prompted to enter a password. The password will be needed every time you restart apache.

3.       Generating  a Certificate Signing Request (CSR)
a.        openssl req -new -key <domain name>.key -out <domain name>.csr

Note: You will need  to provide the following details
                                                               i.      Enter pass phrase for <domain name>.key
                                                              ii.      Country Name (2 letter code)
                                                            iii.      State or Province Name
                                                            iv.      Locality Name (eg, city)
                                                              v.      Organization Name (eg, company)
                                                            vi.      Organizational Unit Name (eg, section)
                                                           vii.      Common Name (eg, domainname.com or *.domainname.com)
                                                         viii.      Email Address
                                                            ix.      Extra attributes are not required.

Once the CSR is generated you will need to provide this file to a certificate authority (CA) to generate a .crt and bundle file. Once generated and downloaded onto the server follow the steps below:

4.       Adding certificate files configuration into apache virtual host
a.        SSLEngine on
b.       SSLProtocol all -SSLv2
c.        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
d.       SSLCertificateFile /etc/httpd/ssl/<domain name>.crt
e.       SSLCertificateKeyFile /etc/httpd/ssl/<domain name>.key
f.         SSLCACertificateFile /etc/httpd/ssl/<gd_bundle>.crt

5.       Restart apache
a.       service httpd restart or /etc/init.d/httpd restart 
       (you will need to enter the password for ssl key)

6.       Generating a Self-Signed SSL Certificate (CRT file)
a.        openssl x509 -req -days 365 -in <domain name>.csr -signkey <domain name>.key -out <domain name>.crt
Note: you will be prompted to enter the password for ssl key.
 
7.       Removing the password from SSL key file
a.        cp <domain name>.key  <domain name>.key.bak  (keeping backup)
b.       openssl rsa -in <domain name>.key.bak -out  <domain name>.key

Comments