Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Unix (http://www.go4expert.com/articles/unix/)
-   -   Create A Self-Signed SSL Certificate To Use With Apache (http://www.go4expert.com/articles/create-self-signed-ssl-certificate-t29151/)

pradeep 28Sep2012 18:53

Create A Self-Signed SSL Certificate To Use With Apache
 
Normally web traffic (HTTP) is unencrypted i.e. it's passed around the network in plain text, so anyone with the right tools can view what's being transmitted. This is okay generally, but when we pass sensitive information like credit card information, passwords, nowadays even personal information & emails are important as they may be used to do identity theft, so even websites like Facebook & GMail use HTTPS by default.

HTTPS works by using SSL, which in turn uses asymmetric cryptography popularly known as public key cryptography. In public key cryptography, a public key and a private key are present, anything encrypted with the public key can only be decrypted with the corresponding private key and vice-versa. Although SSL uses public key cryptography a certificate is necessary, not for the functioning or to strengthen the encryption but to verify the owner of the certificate to be the person/organization they claim to be, so CAs (Certificate Authorities) sign your certificate so that other can trust you. See the image below, how GMail certificate is signed by Thwate.

http://imgs.g4estatic.com/self-signe...ssl-chrome.jpg

In case, you just want to use SSL for web applications in your private network or organization, or just test using HTTPS with your application, you can self-sign the certificate and add the CA certificate to your browser's trusted list.

Generating The Private Key



We'll be using OpenSSL to generate the 2048 bit RSA private key using the Triple-DES algorithm. This is the CA's private key in the real world scenario.

Code:

[pradeep@home-desktop ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
..........................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Creating A Certificate Signing Request (CSR)



Now that we have the private key, we'll need to create a CSR and normally it is sent to a CA (Certificate Authority) like Versign or Thwate who will sign our certificate with their private key, but here we'll be self-signing the certificate.

Code:

[pradeep@home-desktop ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Mumbai
Locality Name (eg, city) [Newbury]:Matunga
Organization Name (eg, company) [My Company Ltd]:Go4expert
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:secure.go4expert.com
Email Address []:shabbir@go4expert.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Self-Signing The CSR



Now we can sign the CSR using the first created private key and we'll get a certificate, using this certificate will show an error/warning in your browser, which we'll see how to be fixed in the last step.

Code:

[pradeep@home-desktop ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=Mumbai/L=Matunga/O=Go4expert/CN=secure.go4expert.com/emailAddress=shabbir@go4expert.com
Getting Private key
Enter pass phrase for server.key:

This certificate is now valid for a year.

Setting Up SSL in Apache



Code:

[pradeep@home-desktop ssl]# cp server.crt /etc/httpd/conf/ssl.crt
[pradeep@home-desktop ssl]# cp server.key /etc/httpd/conf/ssl.key

Configuring for virtual hosts or globally.
Code:

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Making Your Browser Trust The Self-Signed Certificate



Chrome
Firefox
IE

k2seo 29Sep2012 22:21

Re: Create A Self-Signed SSL Certificate To Use With Apache
 
I just wanna ask you that is would be as secured as given by certificate authorities geotrust, comodo or verisign?


All times are GMT +5.5. The time now is 15:04.