Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out server.key 2048 Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command. How can I find the private key for my SSL certificate. If you just got an issued SSL certificate and are having a hard time finding the corresponding private key, this article can help you to find that one and only key for your certificate. Depending on your network you may have to move your SSL/TLS server certificate and its private key from one system to another. This article covers how to move your server certificate, and its private key from IIS that uses a single pfx/p12/pkcs#12 file to Apache that uses separate.pem.crt, key files. Perhaps the private key is still somewhere in your system - it should be a.key file. Which command did you use to make the CSR? Note that if you don't have the private key anymore then this certificate is useless and you'll need to request a new one. Edit: possible duplicate of Apache - Generate private key from an existing.crt file.
Online, it is crucial for your visitors to know that the connection is secure. To encrypt the connection to your website, SSL certificates are commonly used to establish a secure connection. Webmasters may buy SSL certificates to secure their website from web hosting companies who sell offerings from premium vendors such as GeoTrust, Verisign, and others.
Assuming you have apache and open ssl installed, you would like to generate and setup an SSL certificate for a domain and generate a CSR.
First, Generate the RSA & CSR (Signing Request)
[root@chevelle root]#
[root@chevelle root]# cd /etc/httpd/conf/ssl.key
Generate the RSA without a passphrase: Generating a RSA private key without a passphrase (I recommended this, otherwise when apache restarts, you have to enter a passphrase which can leave the server offline until someone inputs the passphrase)
[root@chevelle /etc/httpd/conf/ssl.key]# openssl genrsa -out yourdomain.key 1024
Or, with a passphrase: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.
[root@chevelle/etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out yourdomain.key 1024
You should generally NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically in case of a crash or otherwise. If there is a passphrase, Apache will just sit there and wait for the script to input the passphrase which means downtime, and downtime usually equals bad.
Next generate the CSR using the RSA Private Key
[root@chevelle/etc/httpd/conf/ssl.csr]# openssl req -new -key yourdomain.key -out yourdomain.csr
[root@chevelle/etc/httpd/conf/ssl.csr]# mv yourdomain.csr ../ssl.csr
You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters ‘< > ~ ! @ # $ % ^ * / ( ) ?.,&’ because they will not be accepted.
Common Name: the domain for the web server (e.g. MYdomain.com)
Organization: the name of your organization (e.g. YUPAPA)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. Flanders)
State or Province: the state / province where your organzation is located (e.g New Jersey)
Country: the country where your organzation is located (e.g US)
You may be asked for an email address and a challenge password. I usually just hit enter.
Now you should have:
/etc/httpd/conf/ssl.key/yourdomain.key
/etc/httpd/conf/ssl.csr/yourdomain.csr
Be sure to always make a backup copy of your private key! If you lose it, you’ll have to purchase a new cert!
Now you need to submit your CSR to your provider and they will mail you the certificate. They usually also send you a confirmation email before the certificate is sent out.
Now that you have the certificate..
Installing the Certificate for Apache
[root@chevelle root]# cd /etc/httpd/conf/ssl.crt
Copy the certificate that they mailed you to yourdomain.crt
Open your httpd.conf file and place the following to your virtualhost
<VirtualHost 209.123.546.123:443>
– other config details-
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.key
</VirtualHost>
Restart apache
OPTION 1 [root@chevelle /etc/httpd/conf/ssl.crt]# apachectl restart
OPTION 2 (using the sh script) [root@chevelle /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart
You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.
[root@chevelle /etc/httpd/conf/ssl.crt]# cd ../ssl.key
[root@chevelle /etc/httpd/conf/ssl.key]# mv yourdomain.key yourdomain.key.has-passphrase
[root@chevelle /etc/httpd/conf/ssl.key]# openssl rsa -in yourdomain.key.has-passphrase -out yourdomain.key
And then restart apache again
[root@chevelle /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart
Now you should be able to access https://yourdomain.com
The following instructions will guide you through the CSR generation process on Apache OpenSSL. To learn more about CSRs and the importance of your private key, reference our Overview of Certificate Signing Request article. If you already generated the CSR and received your trusted SSL certificate, reference our SSL Installation Instructions and disregard the steps below.
Log in to your server’s terminal via Secure Shell (SSH).
Generate a private key and CSR by running the following command:Here is the plain text version to copy and paste into your terminal:
Note: Replace “server” with the domain name you intend to secure.
Enter the following CSR details when prompted:
Note: You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.
Locate and open the newly created CSR in a text editor such as Notepad and copy all the text including:
Note 1: Your CSR should be saved in the same user directory that you SSH into unless otherwise specified by you. Note 2: We recommend saving or backing up your newly generate “.key” file as this will be required later during the installation process.
Return to the Generation Form on our website and paste the entire CSR into the blank text box and continue with completing the generation process.
Upon generating your CSR, your order will enter the validation process with the issuing Certificate Authority (CA) and require the certificate requester to complete some form of validation depending on the certificate purchased. For information regarding the different levels of the validation process and how to satisfy the industry requirements, reference our validation articles.
After you complete the validation process and receive the trusted SSL Certificate from the issuing Certificate Authority (CA), proceed with the next step using our SSL Installation Instructions for Apache OpenSSL.
Related Posts