SSL Certs

From Devpit
Jump to: navigation, search

There are two ways to make SSL key files without giving anyone money. The easy way is to not use a certificate authority. Do this for each certificate:

umask 077
openssl genrsa -des3 -out whatever.com.key -passout pass:asdf 2048
openssl rsa -in whatever.com.key -out whatever.com.key -passin pass:asdf
openssl req -new -x509 -days 3650 -key whatever.com.key -out whatever.com.crt

If you don't have a CA file, do this: (the files must be named ca.* for sign.sh)

umask 077
openssl genrsa -des3 -out ca.key -passout pass:asdf 2048
openssl rsa -in ca.key -out ca.key -passin pass:asdf
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Then do this for each certificate:

umask 077
openssl genrsa -des3 -out whatever.com.key -passout pass:asdf 2048
openssl rsa -in whatever.com.key -out whatever.com.key -passin pass:asdf
openssl req -new -key whatever.com.key -out whatever.com.csr
./sign.sh whatever.com.csr


Notes:

  • Just leave all the prompted fields blank except set the Common Name to the hostname.
  • If you set the Common Name to *.whatever.com, it will work for all subdomains.
  • If you set the Common Name to *, it experimentally works for all names (I haven't tested this on many browsers)
  • Each SSL certificate must have its own listening socket (IP-address and port), since the server cannot know the hostname before it begins encrypting.
  • New certificates must have a password, and that's why the second command is there to remove the password.
  • sign.sh uses ca.key and ca.crt to sign the specified csr. This generates a crt file.
  • Copy *.key and *.crt to a directory like etc/apache/certs and point httpd.conf to them.
  • mod_ssl faq: http://www.modssl.org/docs/2.8/ssl_faq.html
  • You may want to modify sign.sh to use 3650 days instead of 365.
  • Useful script http://www.defcon1.org/html/Software_Articles/Direct-X/VNC-Server/CVS-Server/postfix-smtp.html