20150113 public ssl for apache - plembo/onemoretech GitHub Wiki
title: Public SSL for Apache link: https://onemoretech.wordpress.com/2015/01/13/public-ssl-for-apache/ author: phil2nc description: post_id: 9162 created: 2015/01/13 10:08:04 created_gmt: 2015/01/13 15:08:04 comment_status: closed post_name: public-ssl-for-apache status: publish post_type: post
Public SSL for Apache
Most commercial certificate authorities have good documentation on how to make a simple certificate request. Here are my own generic steps for RHEL 6 and beyond. On RHEL systems I always store my private keys and certificates for SSL under /etc/pki/tls (this is something I started doing way back on RHEL 4, even before it became the standard for Red Hat systems in RHEL 6, taking my que from then current Fedora releases). For the most common use, a cert for an Apache web server, you'll first need to create a key: [code lang="bash" gutter="false"] openssl genrsa -out private/www.example.com.key 2048 [/code] The resulting file will be PEM formatted text. 2048-bit keys are common nowadays, in fact most commercial CAs require them. CPU's are a lot more powerful than those old sub-1GHz Sparc or PowerPC chips. Then make the request: [code lang="bash" gutter="false"] openssl req -new -key private/www.example.com.key -out www.example.com.csr [/code] The openssl tool will prompt for two-letter country code, full state/province name, city, organization, org sub unit (like a department) and "common name". The latter is usually the name of the site, like "www.example.com", unless you're doing a wildcard cert. Be sure to read both the vendor's and your server application's instructions carefully if you choose to get the more expensive wildcard cert. Just putting an asterisk in place of the subdomain ("*.example.com") may not work in all use cases. The resulting .csr file will be PEM formatted text that can be copied and pasted into the CA's web request interface or uploaded to them as a file. Once you've got your signed server cert back from the CA you'll usually need to download or create an intermediate cert file to go along with the server cert. Most commercial CAs require intermediate certs and will usually make a "server chain" (two or more PEM formatted certificates stacked in the same file). I always put my server and chain cert files under /etc/pki/tls/certs and reference them in my Apache /etc/httpd/conf.d/ssl.conf file. If my server will be hosting multiple SSL vhosts I'll of course have different server keys and certs for each, referenced in the appropriate vhost block using the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile directives.
Copyright 2004-2019 Phil Lembo