A blog for Linux Lovers.

Posted by sibu on June 11, 2009

SSL Certificates

SSL Certificates:

Normally data is sent unencrypted over Internet, which means anybody with certain tools can hack all your data. To pervent this from happening SSL (Secure Socket Layer) is used to encrypt the data stream between the Web Server and the Web Client.


* Self Signed Certificate
* Certificate issued by a trusted Certificate Authority(CA)

Why is a certificate issued by a CA necessary?

Simple - It is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority, ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Steps in generating Certificates:

* Generate a Private Key
* Generate a CSR (Certificate Signing Request)
* Generating a Self-Signed Certificate / Get the Certificate from a CA
* Installing the Private Key and Certificate
* Configuring SSL Enabled Virtual Hosts
* Restart Apache and Test

Generate a Private Key:

* OpenSSL tool is used for this purpose, make sure openssl is installed
* It is always ideal to include the domain names in file names

openssl genrsa -out /etc/httpd/conf/ssl.key/domain.key 1024

Generate a CSR:

* Once the Private Key is created, use it to generate a CSR
* Avoid entering data for extra attributes like : “A Challenge Password”, since this might be asking you for the passphrase each time you restart Apache

openssl req -new -key /etc/httpd/conf/ssl.key/domain.key -out /etc/httpd/conf/ssl.crt/domain.csr

Generating a Self-Signed Certificate / Get the Certificate from CA

* A Self-Signed Certificate is one that we create by ourself
* However, using a self-signed certificate will generate an error in clients browser that, “igning certificate authority is unknown and not trusted”.

openssl x509 -req -in /usr/local/apache/ssl.crt/domain.csr -signkey /usr/local/apache/ssl.key/domain.key -out /usr/local/apache/ssl.crt/domain.crt

* And to get a Certificate from a CA, all you have to do is send them a copy of the Private key and CSR ytou have just generated on the server

* Copy all the certificates generated to appropriate folders

Configuring SSL Enabled Virtual Hosts

Configure your httpd.conf to encorporate the SSL Certificates with Apache Server

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domain.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domain.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

Add A Comment