teh fear

Creating SSL certificates fo use in https with apache is a two stage process

First one makes a private key
openssl genrsa -des3 -out <name of your certificate>.key 1024
You will be asked for a passphrase (password) for this key
NOTE: Make sure you keep this key safe, and don’t forget the password

Next, use that key to sign a certificate request
openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr
You will be asked for the private key passphrase (not the last time you’ll need this)
You will also be asked a number of other questions, the most important one is the ‘Common Name’ which must match the name of the website – a common name of ‘www.tehfear.com’ would be appropriate for https://www.tehfear.com/ but not https://secure.tehfear.com/ or https://tehfear.com/

The resulting ‘.csr’ file, the certificate signing request is sent to whoever you are requesting a certificate from, in return you will receive a ‘.crt’ certificate, you’ll probably have to tell your certificate provider you are using apache otherwise they may supply the certificate in the wrong format (don’t worry, they are fairly easy to convert – see below).
And possibly an intermediate chain file – if your certificate was not issued directly by a trusted root certificate authority, but by someone trusted by them => a chain of trust.

To install these files
Copy your issued certificate, intermediate certificate (if required) and key file (generated when you created the Certificate Signing Request) into the directory that you will be using to hold your certificates.
Open your Apache conf file file and add the following directives:

• SSLCertificateFile /path to certificate file/your issued certificate
• SSLCertificateKeyFile /path to key file/your key file
• SSLCertificateChainFile /path to intermediate certificate/sf_issuing.crt

The restart apache… you’ll notice when apache restarts it asks you for the private key passphrase – this might be secure, but if your server reboots in the middle of the night it could be a real pain.

If you’d like the server to be able to start without ntering the passphrase, then you’ll need to remove the passphrase from the private key…
openssl rsa -in <name of your certificate>.key -out <name of your new certificate>.key
You will be prompted to enter your passphrase.
Because the key is now unprotected, make sure the new key file is only readable by root
chmod 400 <name of your new certificate>.key

Note on conversion from pkcs#7 to x509

If you’ve ended up with a pkcs#7 file, you can run the following command
openssl pkcs7 -in my_pkcs7.cer -print_certs
This will list the x509 certificates inside the pkcs#7 file, it will look something like this (ignoring the ‘…’)
subject=/C=US/ST=Somewhere/L=Somewhere/O=Thing Inc./OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.mywebsite.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
-----BEGIN CERTIFICATE-----
M...QUrk
-----END CERTIFICATE-----

There may be more than one certificate, just look for the one with the correct common name (CN=xxx).
Simply cut and paste the certificate (from —–BEGIN to —–END CERTIFICATE—– inclusive) into another file.