Self Signed Certificates

Open SSL Certificates

Apache certificates howto

Without Certificate Authority [self signed]

The following instructions are from http://www.apache-ssl.org/#FAQ.

openssl req -new -out server.csr

This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out server.key

This removes the passphrase from the private key. You MUST understand what this means; server.key should be only readable by the apache server and the administrator. You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key. Removal of a passphrase enables httpd to reboot in unattended mode.

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 1095

This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one three years [default is -days 365]

If you have users with MS Internet Explorer 4.0+ and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:

openssl x509 -in server.crt -out serverder.crt -outform DER

Move server.crt into /etc/httpd/conf/ssl.crt and move server.key into /etc/httpd/conf/ssl.key.

For MSIE, move serverder.crt into the web accessible directory [e.g. http://www.example.com/~user/admin/cert/serverder.crt]. Point the IE browser to that location and follow the prompts presented by the browser to import the key. Make sure that the key is imported into the Trusted Root Certificates area.

With Certificate Authority [not very useful as Darkstar's CA is self signed...]

#create new request

cd /home/ivan/ssl

openssl req -new -keyout newkey.pem -out newreq.pem

cat newreq.pem newkey.pem > new.pem

# create new certificate using our own CA

openssl ca -out newcert.pem -infiles new.pem

cp newcert.pem /etc/httpd/conf/ssl.crt/server.crt

cp newkey.pem /etc/httpd/conf/ssl.key/server.key

#restart apache

/etc/init.d/httpd restart

#NOTE for creating CA

<<< #needed only if not already defined

echo "01" > /usr/share/ssl/serial

touch /usr/share/ssl/index.txt

mkdir /usr/share/ssl/newcerts

>>>

cd /home/ivan/ssl

openssl req -new -x509 -keyout CAkey.pem -out CAcert.pem

cp CAkey.pem /usr/share/ssl/private/cakey.pem

cp CAcert.pem /usr/share/ssl/cacert.pem

IMAP-SSL Self-signed certificate howto

REF: http://www.knowplace.org/imaps.html

as root:

cd /usr/share/ssl/certs

openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 1095

same certificate should be usable for POP3S access:

cp imapd.pem ipop3d.pem

For MS Outlook and so, importing the root certificate as indicated above should be sufficient to prevent the client from repeatedly asking to confirm acceptance of the certificate. Alternatively, to install the certificate for Outlook Express simply point Internet Explorer to the URL:

https://mail.example.com:993/

or port 995 for SSL wrapped POP, and install the certificate through the standard certificate dialog.

This page last updated on 07/19/03