Creating a ssl certificate for Apache 2.x on Ubuntu using openssl
** The below article presumes that you already have openssl installed - if not see the following knowledgebase article: **
Generating a Certificate Key File (.key)
Regardless of whether you are purchasing a certificate a certificate from a CA (Certificate Authority) or generating your own self-signed certificate, the initial step is to generate a key file.
In order to generate a key, which is required for producing the Certificate Signing Request (CSR) run the following command from a terminal prompt:
openssl genrsa -des3 -out server.key 2048
You will now be prompted to enter your desired passphrase. For maximum security, your passphrase should contain at least eight characters, and should include numbers and/or punctuation and not be a word in a dictionary. The minimum allowed length when specifying a -des3 passphrase is four characters. Also remember that your passphrase is case-sensitive!
Then simply re-type your passphrase to verify it, if correct, the server key is generated and stored in the server.key file.
You can also run your secure service without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure service. However, it can also be highly insecure, as a compromise of the key means a compromise of the server as well!!
Should you wish to run the secure service without a passphrase, simply leave out the -des3 switch when generating the key file, as below:
openssl genrsa -out server.key 2048
Generating a Certificate Signing Request (.csr)
The next stage is to actually generate the certificate request, this is what is needed in order to actually produce/request your security certificate. The command to enter is as follows:
openssl req -new -key server.key -out server.csr
At this point, if you are purchasing a validated certificate from a provider, this is all you will need to do. Each will have their own methods for getting the information from the certificate request file. Usually it will just be a case of copying the tect from the file to the order process. If this is the case, ensure you only copy from the starting hyphen (the - symbol) to the finishing hyphen, with no space before or after.
To generate you own self signed certificate, read on......Generating a Self Signed Certificate (.crt)
Self signed certificates are fine for internal use, however it is recomended that they should never be used in a production environment!!
To generate the certificate, you will need to run the following command:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Once entered, you will be prompted to enter the passphrase you created earlier (if you did one), once entered correctly the server will create the certificate file. Both the certificate file (server.crt) and the server key file, (server.key) are required in order for the server to function and installed as per the instructions for the web server you are using.