OK I spent the weekend doing something I haven't done in awhile and man was I rusty. I had to enable HTTPS on an Apache server, create a CSR, and install a certificate. I wanted to walk you through the commands I used to generate the CSR and install the certificate. As a bonuse I will also show you how to generate a self-signed certificate. This was done using OpenSSL on a Debian system.
Step One - Create a server key
openssl genrsa -des3 -out server.key 4096
This command will generate a file called server.key. It will prompt you for a password. Typically you don't really want a password, I will explain this more later, but you don't really have a chose you have to enter one just make sure you remember what you enter. We'll address this more after the next couple of steps
Step Two - Create a Certificate Server Request (CSR)
openssl req -new -key server.key -out server.csr
This is what you are going to provide your Certificate provider to generate your actual certificate. You will be prompted for your password again. Then you are prompted with a bunch of follow up question, the one you want to really pay attention to and make sure you get right is the "Common Name". This is the URL you are trying to get a certificate for so make sure you get it right. Don't put in http:// or https:// just the URL (example www.mydomain.com). Near the end you will be prompted for a "Challenge Password", this does not have to be the same as the password you provided for your server.key file. You will need to remember this challenge password because you will be prompted for it again when you go to install the certificate. I believe you can actually leave this one blank but I wouldn't.
Step Two.One - Generate a Self Sign Certificate
At this point you have a CSR file to send into a Certificate Provider and get a real certificate generated for you. However, these certificates are not cheap and if this is not a production environment or if its just a administrative area, you might be happier with the much cheaper alternative of a "Self Signed Certificate". This is a certificate you generate yourself. Now since it's not a certificate from a recognized certificate provider, you will be prompted if you do actually want to accept this certificate. So why would you do this, well as I mentioned its cheaper and the end result is that it still encrypts you traffic. So let's generate a self sign certificate, if you are going the way of getting a certificate from a provider you can skip this step.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Step Three - Remove Password From Server.key File
By this step, you should have a actual certificate file either by self generating or purchasing, problem is if you install everything as is, you will be prompted for the password you provided when you generated the server.key file every time you go to start up your web server. You can imagine how this could be a annoying. If you are OK with entering your password every time the Apache service starts (including reboots), then you can skip this step. If not, then we are going to remove the password from the server.key file.
Generate a non-password version of the server.key file
openssl rsa -in server.key -out server.key.insecure
It's a good idea to keep the original server.key file that has the password so lets rename that file
mv server.key server.key.secure
And now we'll make our insecure version the main file
mv server.key.insecure server.key
Move the Files
That should be pretty much it now all you need to do is move your files to the correct locations
mv server.key /etc/ssl/private/
mv server.crt /etc/ssl/certs/
Now, you just need to enable the site as HTTPS in Apache. If you are not sure how to do this, I will post that in the next couple of days as well.
Step One - Create a server key
openssl genrsa -des3 -out server.key 4096
This command will generate a file called server.key. It will prompt you for a password. Typically you don't really want a password, I will explain this more later, but you don't really have a chose you have to enter one just make sure you remember what you enter. We'll address this more after the next couple of steps
Step Two - Create a Certificate Server Request (CSR)
openssl req -new -key server.key -out server.csr
This is what you are going to provide your Certificate provider to generate your actual certificate. You will be prompted for your password again. Then you are prompted with a bunch of follow up question, the one you want to really pay attention to and make sure you get right is the "Common Name". This is the URL you are trying to get a certificate for so make sure you get it right. Don't put in http:// or https:// just the URL (example www.mydomain.com). Near the end you will be prompted for a "Challenge Password", this does not have to be the same as the password you provided for your server.key file. You will need to remember this challenge password because you will be prompted for it again when you go to install the certificate. I believe you can actually leave this one blank but I wouldn't.
Step Two.One - Generate a Self Sign Certificate
At this point you have a CSR file to send into a Certificate Provider and get a real certificate generated for you. However, these certificates are not cheap and if this is not a production environment or if its just a administrative area, you might be happier with the much cheaper alternative of a "Self Signed Certificate". This is a certificate you generate yourself. Now since it's not a certificate from a recognized certificate provider, you will be prompted if you do actually want to accept this certificate. So why would you do this, well as I mentioned its cheaper and the end result is that it still encrypts you traffic. So let's generate a self sign certificate, if you are going the way of getting a certificate from a provider you can skip this step.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Step Three - Remove Password From Server.key File
By this step, you should have a actual certificate file either by self generating or purchasing, problem is if you install everything as is, you will be prompted for the password you provided when you generated the server.key file every time you go to start up your web server. You can imagine how this could be a annoying. If you are OK with entering your password every time the Apache service starts (including reboots), then you can skip this step. If not, then we are going to remove the password from the server.key file.
Generate a non-password version of the server.key file
openssl rsa -in server.key -out server.key.insecure
It's a good idea to keep the original server.key file that has the password so lets rename that file
mv server.key server.key.secure
And now we'll make our insecure version the main file
mv server.key.insecure server.key
Move the Files
That should be pretty much it now all you need to do is move your files to the correct locations
mv server.key /etc/ssl/private/
mv server.crt /etc/ssl/certs/
Now, you just need to enable the site as HTTPS in Apache. If you are not sure how to do this, I will post that in the next couple of days as well.
No comments:
Post a Comment