Self Signed Certificates
Open SSL Certificates
Apache certificates howto
Without Certificate Authority [self signed]
The following instructions are from http://www.apache-ssl.org/#FAQ.
openssl req -new -out server.csr
This creates a certificate signing request and a private key. When asked for
"Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.
openssl rsa -in privkey.pem -out server.key
This removes the passphrase from the private key. You MUST understand what this means;
server.key should be only readable by the apache server and the administrator. You should delete the
.rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key. Removal of a passphrase enables httpd to reboot in unattended mode.
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 1095
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one three years [default is
If you have users with MS Internet Explorer 4.0+ and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in server.crt -out serverder.crt -outform DER
/etc/httpd/conf/ssl.crt and move
For MSIE, move serverder.crt into the web accessible directory [e.g. http://www.example.com/~user/admin/cert/serverder.crt]. Point the IE browser to that location and follow the prompts presented by the browser to import the key. Make sure that the key is imported into the Trusted Root Certificates area.
With Certificate Authority [not very useful as Darkstar's CA is self signed...]
#create new request
openssl req -new -keyout newkey.pem -out newreq.pem
cat newreq.pem newkey.pem > new.pem
# create new certificate using our own CA
openssl ca -out newcert.pem -infiles new.pem
cp newcert.pem /etc/httpd/conf/ssl.crt/server.crt
cp newkey.pem /etc/httpd/conf/ssl.key/server.key
#NOTE for creating CA
<<< #needed only if not already defined
echo "01" > /usr/share/ssl/serial
openssl req -new -x509 -keyout CAkey.pem -out CAcert.pem
cp CAkey.pem /usr/share/ssl/private/cakey.pem
cp CAcert.pem /usr/share/ssl/cacert.pem
IMAP-SSL Self-signed certificate howto
openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 1095
same certificate should be usable for POP3S access:
cp imapd.pem ipop3d.pem
For MS Outlook and so, importing the root certificate as indicated above should be sufficient to prevent the client from repeatedly asking to confirm acceptance of the certificate. Alternatively, to install the certificate for Outlook Express simply point Internet Explorer to the URL:
or port 995 for SSL wrapped POP, and install the certificate through the standard certificate dialog.
This page last updated on 07/19/03