...
Code Block | ||
---|---|---|
| ||
su bhitch # Use a sudo enabled account.
cd ~
mkdir private
chmod 700 ./private
cd private
openssl genrsa -out www.earth.com_server.pem.base64.key 2048
|
The openssl command reads,
- 2048 - make the RSA private key 2048 bit
- The default file format will be PEM . (to link to upcoming article about formats and standards)
- The default encoding of the file will be base64 (link to upcoming article about formats and standards)
Note |
---|
Notice the creation of the private directory. It is very important that only the proper administrators should have access to the private key. |
...
Code Block | ||
---|---|---|
| ||
openssl req -new -key www.earth.com_server.pem.base64.key -out www.earth.com_server.pem.base64.csr |
You will be prompted to enter information about the certificate. The values should reflect your organization.
...
Info |
---|
Here are some useful details about the CSR,
|
...
The CA will use your public key in the CSR to sign and return back your server certificate.
Warning |
---|
Provide a sub-page to explain the CA signing process as an example. |
...
Panel |
---|
Toolbox, Retrieve Certificate, select your certificate. The result is often a file in (I think DER format (link to upcoming article about formats and standards) or base64 which will be a file or webpage where you must copy and paste the Certificate text data into a text file. |
The text file should be saved with the domain name and the crt extension (link to upcoming article about formats and standards) and is your public key signed by that CA. In this example, it will be earth.com_server.crt.
...
Almost all CAs require the server install a one or more chain certificatecertificates.
You may download the chain certificate from your CA's website (you may need to search for it) or more conveniently download from SSLShopper's list of Chain Certificates and respective CA Installation Instructions.
In this case I found the chain certificate at StartCom How to Install Apache Server webpage which also indicates by their sample Apache configuration that,
- ca.pem is the root CA certificate
- sub.class1.server.ca.pem is the chain certificate
The file names, extension and documentation on file formats for certificates is a mess (link to details). There is not real standard that everyone follows.
What About the CA Certificate?
You don't need it. Yes, it is noted in many tutorials on the Internet...
Store Certificates
In Ubuntu, the default location for SSL certificates are,
...