...
- 2048 - make the RSA private key 2048 bit
- The default file format will be PEM.
Note |
---|
Notice the creation of the private directory. It is very important that only the proper administrators should have access to the private key. |
File Output
It is important to understand the file format used in the event the keys need to be transferred to different systems.
In general, PEM formats are used with Unix, PCKS12 with Microsoft world and DER with Java.
OpenSSL uses PEM by default.
Generate the CSR
Generate the CSR (Certificate Signing Request) which will be submitted to the CA,
Code Block | ||
---|---|---|
| ||
openssl req -new -key www.earth.com_server.pem.key -out www.earth.com_server.pem.csr |
You will be prompted to enter information about the certificate. The values should reflect your organization.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName www.earch.com ServerAlias earch.com DocumentRoot /home/www.earth.com/www <Directory /> # This prevents use of .htaccess AllowOverride None </Directory> ErrorLog /var/log/apache2/ssl_www.earth.com.error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_www.earth.com.access.log combined # --------------------- # Start Enable SSL # ----------------- # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Load the keys SSLCertificateFile /etc/ssl/certs/www.earth.com_server.pem.crt SSLCertificateKeyFile /etc/ssl/private/www.earth.com_server.pem.key # Load the Certificate chain SSLCertificateChainFile /etc/ssl/certs/StartSSL_Sub_Class1_CA.pem # Loads all Certificate Authorities in the provided path SSLCACertificatePath /etc/ssl/certs/ # Alternatively, load the specific Certificate Authority # SSLCACertificateFile /etc/ssl/certs/StartCom_Certification_Authority.pem # SSL Engine Options <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive # "MSIE [17-9]" matches MSIE 7 to 9 and 10 to 19 (and 1, but that should not be a problem) BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown # ----------------- # End Enable SSL # --------------------- </VirtualHost> </IfModule> |
...