SSL Server Certificates

Nowadays there is a wealth of information on the web about generating certifcate signing requests and installing signed certificates. I followed the instructions at OpenSSL HOWTOs.

To ease the process one should first adjust some default settings in /etc/ssl/openssl.cnf:

[ req_distinguished_name ]

countryName_default             = US

stateOrProvinceName_default     = Massachusetts

0.organizationName_default      = Agaric Design Collective

A canonical place to store our public and private keys is /etc/apache2/ssl, so I cd there. Before generating certificate signing request we need a private key. Just type openssl genrsa -out agaric.com.key 2048 (either as root or with sudo). That provides us with a 2048 bit encrypted RSA key - without passphrase, which you would have to type on every http server start otherwise.

With the private key ready it's a snap to get a certificate signing request: openssl req -new -key agaric.com.key -out agaric.com.csr. After hitting the return key openssl aks some questions about your location and company name. I confirm our recently entered default values. For common name I have to enter the fully qualified domain name used to acces the server, in our case agaricdesign.com. As the reader notices it is often necessary to generate a certifcate for every name based virtual host.

Now it's time to send the certificate request to a certificate authority, as CAcert assurer I am able to sign for that organization myself. The signed certificate is copied to /etc/apache2/ssl/agaric.com.crt where it stays with the private key and the request which won't be deleted.

The server certificate is now ready for use, e.g. in an Apache virtual host container:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/agaricdesign.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/agaricdesign.com.key

Join CAcert!