Generating a Private Key and CSR for Linux Web Server
This is the instruction for generating a CSR on a apache web server
(Note: you need to be logged in a root for this process)
Openssl is used to generate an RSA Private Key and CSR file. You can also use it to generate self-signed certificates which can be used for testing or internal usage.
Openssl should be installed in the /usr/local/ssl/bin directory.
The first step is to create your RSA Private Key. This key that we will create will be a 1024 bit RSA key, encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. We will use several files as random seed enhancers which will help to make the key more secure. Text files that have been compressed with a utility such as gzip are good choices. The key is generated using the following command, where file1:file2:etc represents the random compressed files.
# openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
You will be prompted for a pass-phrase. It is critical that you keep this pass-phrase secure. If you loos the key, or forget pass-phrase then the certificate will be useless.
One issue with using pass-phrased private key is that Apache will ask for the pass-phrase every time the web server is started. This may not always be convenient as someone may not always be around to type in the pass-phrase after a reboot or crash.
mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. The other option would be to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If you remove the encryption from the private key it is critical that the file is readable by the root user only. If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked.
This command will remove the pass-phrase from the key:
# openssl rsa -in server.key -out server.pem
Once the private key is generated you need to generate a CSR (Certificate Signing Request). The CSR is:
- sent to a Certificate Authority who will verify the identity of the requestor and issue a signed certificate.
- The second option is to self-sign the CSR, which will be demonstrated in the next section.
During the generation of the CSR you will be prompted for several pieces of information, this is the X.509 attributes of the certificate. One of the prompts will be for "Common Name", it is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the URL of website to be protected is https://www.webserver.com, then enter www.webserver.com at this prompt.
This is the command to generate the CSR:
# openssl req -new -key server.key -out server.csr
You will be asked to enter the PEM pass phrase.
Country Name (2 letter code) [XX]:IE
State or Province Name (full name) :Kilkenny
Locality Name (eg, city) [Default City]:Kilkenny
Organization Name (eg, company) [Default Company Ltd]: Security I Trust
Organizational Unit Name (eg, section) :InfoSec
Common Name (eg, your name or your server's hostname) : securityitrust.com
Email Address : support@your_email_address.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password : I7nf9oS5
An optional company name : Security I Trust
At this point you have 2 option.
1. You can use your CSR to purchase a signed SSL certificate. If this is your plan then you need to upload the CSR to the vendors website and when you have received the certificate from the vendor you need to install the private key and certificate on your web server.
2. Generate a self signed certificate.