After the Circus

Random Sample
Old Moon

contact me
jean at geemoo dot ca

Dec 16, 2006
Often times, I find myself in the position of setting up a server with SSL and needing to make a certificate for the server to use. Unfortunately, it's not often enough, as I seem to forget how each time. Thus in efforts to avoid having to search the web for good docs, I'm just going to write them down here.

A couple small notes before you get started. Make a nice directory somewhere to do all this in.. I like /etc/ssl. When they prompt for "Common Name", that's the full hostname of whatever you're trying to secure. Also, very important: the common name of the certificate authority MUST be different from the common name of the certificate you are going to sign. Don't ask me why, because I don't know. I chalk it up to magical SSL reasons.

1) Create a Certificate Authority.
Before you can sign your certificates, you need something to sign it with.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Your Certificate Authority key is now in ca.key, and the certificate is ca.crt.

2) Generate a server key and request for signing (csr).
Next, create the key and request for the server that you are setting up.
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
This creates your server private key in server.key, and your signing request in server.csr. If you were having someone else sign your key, server.csr is what you would be sending them.

3) Sign the server request with your CA.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Sign the request with this command.. Use incremental values for your serial. It has to do with how the certificate is cached in clients when new versions are issued.

4) Remove the password from the key.
Right now, the key still has a password in it, that you have to type in to use it. This means when your server starts up, you gotta be there to enter the password or badness occurs. Removing the password fixes this.
openssl rsa -in server.key -out nopassword.server.key

That's it, we're done. Then you just take your new key and crt file, plug them into the config file of what ever you're trying to setup, and presto.

The guide I followed to get this all working can be found here. I'm just blogging this because who knows if his website will exist tomorrow, and I'm sure there will be more servers for me to setup.
Tags: howto, linux, ssl, christmas, nighttime, ottawa