OpenSUSE Linux: Creating Self-Signed SSL Certificates

18 06 2009
Overview

At some point or another, you’ll likely end up needing an SSL certificate for a Web site somewhere along the line. For a commercial site, your hosting provider can or will help you get this all squared away. This article is not for people in that situation.

What we’re doing here will be to create our own Certificate Authority. Then, we’ll create our own server key and a signing request. Then, we’ll sign our own certificate using the key and certificate from our own Certificate Authority. In other words, we’re not just going to create an SSL certificate, but we’re going to sign that bad boy, too.

This is useful for personal websites that need a little security, or when you’re waiting for your real cert from a real Certificate Authority. Perhaps you need it for transmitting data from an external server to your Intranet. Or perhaps you need it in any of the three hundred thousand seven hundred forty-two other situations that may arise.

Certificate Authority

The first thing that you’ll need is root access to the server. SSH in and head somewhere secure like /root.

Next, we’ll go ahead and generate our own Certificate Authority key. In this step, we are impersonating someone like Verisign or Thawte. Well, not impersonating, but we are going to do the same thing for ourselves that they would normally do.

To create our key, we’ll run this command:

openssl genrsa -des3 -out ca.key 4096

When we do that, it looks something like this:

[1257][root@mail:~/cert]$ openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................................................................................................++
.................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: [enter a pass phrase here for the CA key]
Verifying - Enter pass phrase for ca.key: [verify the same pass phrase here]
[1258][root@mail:~/cert]$

Note that those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Next, we’ll need to use that key to create a certificate. Before we do this, the information that you will enter here is NOT the information you will enter later for your own server. Remember, we are emulating a Certificate Authority here. When we generate our server certificate, we will put in the real information which must differ from what is here. With that, let’s whip out the certificate. Notice that we are making it good for 3650 days, or 10 years. Adjust to your taste. So let’s make the cert, now. This is done with the following command:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

And doing this may resemble something like this:

[1306][root@mail:~/cert]$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:WA
Locality Name (eg, city) []:Redmond
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Microsoft Corporation
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.microsoft.com
Email Address []:bill.gates@microsoft.com
[1307][root@mail:~/cert]$
Our Server Key and CSR

Next up on the list is to create a key that corresponds to our server. The first one we made was for the Certificate Authority. This one will be generated by and for our own server. We will do that with this command:

openssl genrsa -des3 -out server.key 4096

The output should look familiar:

[1310][root@mail:~/cert]$ openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
................................++
....++
e is 65537 (0x10001)
Enter pass phrase for server.key: [enter a pass phrase here for our server key]
Verifying - Enter pass phrase for server.key: [verify the same pass phrase here]
[1313][root@mail:~/cert]$

Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later.

Now… let’s see… oh yeah. Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

To create the CSR, we do this:

openssl req -new -key server.key -out server.csr

Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. And so we do:

[1313][root@mail:~/cert]$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:UT
Locality Name (eg, city) []:Eagle Mountain
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Suse Blog
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.suseblog.com
Email Address []:my-address@suseblog.com [put in your real email address here]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[1323][root@mail:~/cert]$
Sign the Certificate

Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely.

The command we’re going to run looks like this:

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

And when we run it, we see something hopefully resembling this:

[1326][root@mail:~/cert]$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Signature ok
subject=/C=US/ST=UT/L=Eagle Mountain/O=Suse Blog/CN=www.suseblog.com/emailAddress=my-address@suseblog.com
Getting CA Private Key
Enter pass phrase for ca.key: [enter the CA pass phrase from above here]
[1332][root@mail:~/cert]$
Generate server.key That Won’t Prompt for Password

Now, we have a little problem. Our server.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

When we run these commands, here’s our output:

[1354][root@mail:~/cert]$ openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key: [enter the pass phrase here for our server key from above]
writing RSA key
[1354][root@mail:~/cert]$ mv server.key server.key.secure
[1354][root@mail:~/cert]$ mv server.key.insecure server.key
[1354][root@mail:~/cert]$
Placing the Files

At this stage, you should now have a bunch of files. These, in fact:

[1354][root@mail:~/cert]$ ll
total 32
drwxr-xr-x  2 root root 4096 2008-06-02 13:54 .
drwx------ 10 root root 4096 2008-06-02 13:35 ..
-rw-r--r--  1 root root 2529 2008-06-02 13:07 ca.crt [CA certificate]
-rw-r--r--  1 root root 3311 2008-06-02 12:58 ca.key [CA key]
-rw-r--r--  1 root root 2049 2008-06-02 13:32 server.crt [our server certificate]
-rw-r--r--  1 root root 1748 2008-06-02 13:23 server.csr [our server signing request]
-rw-r--r--  1 root root 3243 2008-06-02 13:54 server.key [our password-less server key]
-rw-r--r--  1 root root 3311 2008-06-02 13:13 server.key.secure [our passworded server key]
[1355][root@mail:~/cert]$

Just having them doesn’t get us anywhere, so let’s get them installed. First, we are going to change some permissions, because we don’t want just anyone having access to these files. To apply the appropriate permissions, run this:

chmod 0600 server.key.secure server.key server.csr server.crt

Now, here’s where things depend on the distribution that you are using. I will describe what I am doing so that if you are not on OpenSUSE, you will still be able to get this working.

In OpenSUSE, the apache2 config directory is located at /etc/apache2. Underneath that, there are a handful of directories. The three we care about are /etc/apache2/ssl.crt, /etc/apache2/ssl.csr, and /etc/apache2/ssl.key. The server.crt needs to be moved to /etc/apache2/ssl.crt. The server.csr file needs to be moved to /etc/apache2/ssl.csr. And the server.key file needs to be moved to /etc/apache2/ssl.key:

[1348][root@mail:~/cert]$ mv server.key /etc/apache2/ssl.key/server.key
[1349][root@mail:~/cert]$ mv server.crt /etc/apache2/ssl.crt/server.crt
[1349][root@mail:~/cert]$ mv server.csr /etc/apache2/ssl.csr/server.csr
[1349][root@mail:~/cert]$

Yep, pretty complex stuff, moving files.

Now, we need to make a handful more edits to some files, and we’re just about there.

System Configuration

First thing is to edit /etc/sysconfig/apache2. Search through that file for the directive called APACHE_MODULES. Make sure you see ’ssl’ in there. If not, add it. Then, search through the file and find APACHE_SERVER_FLAGS. Make sure it has ‘SSL’ in it. If not, add it. Save and close the file.

You can also manage apache’s modules with the ‘a2enmod’ command. To view the list of loaded modules, run ‘a2enmod -l’.

Next, open up the config file that tells apache2 which ports to listen on. In OpenSUSE, this file is /etc/apache2/listen.conf. Rip that bad boy open. You will see the following line:

Listen 80

Add a new line for port 443, our HTTPS port, so that it looks like this:

Listen 80
Listen 443

Then, look for the following line:

NameVirtualHost *:80

Add a new line for port 443, our HTTPS port, so that it looks like this:

NameVirtualHost *:80
NameVirtualHost *:443

Save and quit.

Virtual Host Configuration

In OpenSUSE, it’s really easy to have virtual hosts on a machine. I have like 10 on mine. One of them is my blog, www.suseblog.com. Well, to make this easy, in OpenSUSE, the virtual domain configuration files are located in /etc/apache2/vhosts.d, each with their own name. My www.suseblog.com configuration file is called suseblog.conf. To set up SSL for this virtual host, just duplicate the file and give it another name. In my case, I named it ssl-suseblog.conf.

Now, we’re going to open up that file and add like 4 lines to it. No sweat.

At the top of the file, there is a line that looks like this:

<VirtualHost *:80>

Change the port from 80 to 443, so it looks like this:

<VirtualHost *:443>

Then, go down a ways and add these lines:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

Save and quit on that one, too.

Configure Firewall

We can configure this thing perfectly, but if the firewall doesn’t know to let traffic through, we will not have HTTPS access to the server. Let’s check the firewall really quick to make sure.

Fire up YAST. Go to the Security & Users option on the right, and select FIREWALL from the left. If you do not have a firewall running on the machine, you can just exit now. If you do, you will need to go to ALLOWED SERVICES. In the SERVICES TO ALLOW drop-down on the right, select HTTPS Server. Then click ADD. Then click NEXT, and finally FINISH. You should now have port 443 opened for HTTPS business.

Now, let’s go ahead and restart apache and enjoy our new self-signed self-generated SSL cert on our HTTPS service:

[1426][root@mail:/etc/apache2]$ /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate)          done
Starting httpd2 (prefork)                                             done
[1427][root@mail:/etc/apache2]$
Conclusion

Well, we’ve concluded. Enjoy.

More info on the mod_ssl page

Article By: SuseBlog

Advertisements

Actions

Information

33 responses

11 07 2010
Solutions

I was actually looking or a detailed howto to create a certificates/keys needed for postfix TLS.
Unsure how much that differs from apache server certificates/keys …
It is amazing that there is no script available to auto-create ALL different certificates / server keys and all above work still needs to be one by hand.

18 10 2012
About generating own CA

[…] setting. I have tried the following link to create a set of certificates and it is a piece of cake OpenSUSE Linux: Creating Self-Signed SSL Certificates However, when I try to make the same thing in YAST2-CA-MANAGEMENT I come across several problems. […]

3 01 2013
Help with configuring Apache for SSL for multiple sites on single IP address

[…] set up ssl encryption, i.e. connect by https. I've created my own signed certificate as described here and created the corresponding vhost files. My problem is that I can only access one site the two […]

30 04 2013
Rosie

Omega-3 deficiency can also be linked to poor healing of
wounds, flaking skin, dandruff and excema. Its ingredients help to reduce scar tissues and encourage skin cell growth.
Exposure to the sun’s ultra-violet rays can trigger the release of free radicals that hastens aging and appearance of wrinkles.

1 05 2013
palm oil

Malaysia is a tropical country located in the heart of Southeast Asia.
It has the fragrance of violets with an earthy scent.
If this ‘Eco-Friendly’ bio-fuel is voted into our petrol stations, the future for our orange primate cousins will be very bleak.

26 05 2013
Alicia

A chainsaw blade creates a pulling motion because it is rotating at such a high velocity.
Select the right chainsaw essential for your function. One of the most important attributes of chainsaw
chaps is the level of protection they offer.

15 06 2013
family house

This post provides clear idea in favor of the new viewers of blogging, that
in fact how to do blogging and site-building.

16 06 2013
Max Robust Xtreme

Excellent blog! Do you have any recommendations
for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything.

Would you suggest starting with a free platform like WordPress or go for a
paid option? There are so many choices out there that I’m completely confused .. Any tips? Kudos!

29 06 2013
http://makeupbyelizabeth.ca/my-first-ever-blog/

You have made some good points there. I looked on the
internet for more info about the issue and found most individuals will
go along with your views on this website.

5 07 2013
lawofattractionpractitionercertification.com

Wow, that’s what I was seeking for, what a material! present here at this weblog, thanks admin of this website.

19 08 2013
http://bellalabsreview.org

Why users still use to read news papers when in this technological globe all is presented on net?

4 10 2013
Melisa

These days there are a lot of treatments available for
removing stretch marks. How effective this treatment is that it will only coconut oil for stretch marks reduce your stretch marks, which are undoubtedly effective
but very pricey procedures. Either way, they can happen to anyone,
regardless of how diligently you use every means to prevent them.

And from there on, as it continuously stores fat,
your skin is protected from these scars.

18 10 2013
Jan Dufek

Thank you – very useful!

28 01 2014
knights and dragons android hack

I am curious enough that I might try another playthrough with someone else soon (I chose warrior thjs time).
It permits its practitioner to acqquire in the Fourth Round what Nature intends humankind to attain in the next with hher somewhat languid
process. it looks like real drapes- and you’ll have a very realistic looking.

30 01 2014
dead trigger 2 hack android

It was good to know that all the trdkking we ddid wasn’t for
nothing; at least France hhad beauty. Men who smoke are
twice as likely as non-smokers to develop erectile issues.
The Italian government, with the aid of certain Vatican clerics,
spied on the Vatrican in the 1970’s and 1980’s.

31 01 2014
candy blast mania diamonds hack

Disclaimer: I was not given any typpe of paynent or incentive to write a review on this product.
Pass out slips of paper and ask everyone to write a
great memory they hasve of thee birthday boy oor girl. “But it was us; we are the one(s) that carry on true music through the game of [hip-hop record] sales.

18 04 2014
august birthstone

A soft toothbrush can be utilized to deflect august birthstone the
pessimism of other people. The ring can also be viewed
online. For those with a yellow and cloudy look
to them, but instead I’ll leave it to you?

30 04 2014
Ernestine

WOW just what I was searching for. Came here by searching for short hairstyles for women

25 05 2014
Johnc941

certainly like your website however you have to check the spelling on several of your posts. Many of them are rife with spelling problems and I to find it very troublesome to inform the truth nevertheless I will surely come back again. aeedaeafdada

26 07 2014
5 in 1 wireless headphones

I’ve been browsing online more than three hours nowadays, but I never discovered any
fascinating article like yours. It is beautiful worth sufficient for me.
Personally, if all web owners and bloggers made good content as you probably did, the
internet can be a lot more useful than ever before.

26 07 2014
wireless Headphones for tv in car

I’m extremely pleased to find this web site. I wanted to thank you for
your time for this fantastic read!! I definitely
appreciated every part of it and i also have you book-marked to check out new stuff on your
blog.

7 08 2014
go

Hey There. I found your blog using msn. This is a really well written article.

I will be sure to bookmark it and come back to
read more of your useful info. Thanks for the post. I will certainly comeback.

21 08 2014
Recettes pour jours de pluie pdf

This article gives clear idea for the new viewers of blogging, that really how to do blogging.

29 08 2014
30th birthday gift ideas for best friend

Howdy! Would you mind if I share your blog with my myspace group?
There’s a lot of people that I think would really enjoy your content.

Please let me know. Thank you

6 09 2014
diy curly hairstyles

I like what you guys tend to be up too. Such clever
work and coverage! Keep up the awesome works guys I’ve added
you guys to my personal blogroll.

17 09 2014
g pen vapor e cig

Thank you a bunch for sharing this with all of us
you actually recognise what you are talking about! Bookmarked.
Please also talk over with my web site =). We could have a hyperlink change contract among us

19 09 2014
42 tv

If some one wants to be updated with latest technologies after that he must
be pay a quick visit this web site and be up to date every day.

26 09 2014
coconut Oil for face

Greetings! I know this is kind of off topic but I was wondering if you knew where I could locate a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having trouble finding one?
Thanks a lot!

4 10 2014
OpenSUSE Linux: Creating Self-Signed SSL Certificates

OpenSUSE Linux: Creating Self-Signed SSL Certificates

OpenSUSE Linux: Creating Self-Signed SSL Certificates | Mr.Novell\’s Blog

4 10 2014
make a home pregnancy test

Excellent blog you have here.. It’s hard to find quality writing like yours these days.

I seriously appreciate individuals like you! Take care!!

4 10 2014
click here

I am really enjoying the theme/design of your website. Do you ever run into any
internet browser compatibility problems? A number of my blog visitors have complained about
my blog not operating correctly in Explorer but looks great in Opera.
Do you have any advice to help fix this issue?

8 10 2014
8to18 >home

8to18 >home

OpenSUSE Linux: Creating Self-Signed SSL Certificates | Mr.Novell\’s Blog

8 10 2014
The Best Hd Tv

Every location in the markets. Go ahead 32 inch tv with
the best TV channels from your TV. However, some that ‘Off the Map’,
billed as reality, news, newspaper usage is certainly
somewhat average in ages at which the light. The modern technology through the
liquid crystal display televisions as more TV than you could be coded onto radio waves
to produce billions of colors, and a host of nice entertainment channels.
Play, pause, lag or loading screen — and bring the 3D glasses
when planning to pay the extra pixels look like.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: