Create Apache Self Signed Certificate

Submitted by code_admin on Mon, 07/23/2018 - 09:31

I have rolled this process into my Personal Infrastructure CA. https://gitlab.com/rmetcalf9/RJM_Personal_Infrastructure/tree/master/CA

Done in /etc/apache2/ssl
Create key: (We have one don't need to repeat)
openssl genrsa -out server.key 2048

??Does the common name have to match the host name??
See wget error

Create Sign Request:
openssl req -new -key server.key -out server.csr
country: GB
State or Province Name: UK
Locality Name (eg, city): London
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Robert Metcalf (metcarob)
Organizational Unit Name (eg, section) []: Personal website
Common Name (eg, YOUR name) []: *.metcarob.com
Email Address []: securitycert@metcarob.com

Optionals (Blank)
A challenge password []:
An optional company name []:

Sign the Key (Self sign)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.cert

Restart Apache
/etc/init.d/apache2 restart

Setup the ssl pass phrase
add a file wdke.sh to /etc/apache2/ssl
make it executable
make the apache user own it using chown and chgrp
make the world not able to see it

  1. #!/bin/sh
  2. echo "passphrase"

edit
/etc/apache2/httpd.conf (Now /etc/apache2/mods-enabled/ssl.conf)
Find a bit like the following

  1. <IfModule mod_ssl.c>
  2. #   Pass Phrase Dialog:
  3. #  #SSLPassPhraseDialog  builtin
  4. SSLPassPhraseDialog exec:/etc/apache2/ssl/wdke.sh
  5. </..>

Process used to generate ROOT auth signing

  1. cd /etc/apache2/ssl/rootCA
  2. openssl genrsa -out metcarob_root_auth.key 2048
  3. openssl req -x509 -new -nodes -key metcarob_root_auth.key -days 2048 -out metcarob_root_auth.pem
  4. country: GB
  5. State or Province Name: UK
  6. Locality Name (eg, city): London
  7. Organization Name (eg, company) [Internet Widgits Pty Ltd]: Robert Metcalf (metcarob)
  8. Organizational Unit Name (eg, section) []: Root CA
  9. Common Name (eg, YOUR name) []: Robert Metcalf
  10. Email Address []: securitycert@metcarob.com

Repeat steps for every domain I sign with my rootCA

Domain matches SITE_NAME in my config

  1. cd /etc/apache2/ssl
  2. DOMAIN=download_mylinkedthings
  3. openssl genrsa -out ${DOMAIN}.key 2048
  4. openssl req -new -key ${DOMAIN}.key -out ${DOMAIN}.csr -subj "/C=GB/ST=UK/L=London/O=Robert Metcalf (metcarob)/CN=${DOMAIN}/emailAddress=securitycert@metcarob.com"

Produce signed cert (for 500 days)

  1. openssl x509 -req -in ${DOMAIN}.csr -CA ./rootCA/metcarob_root_auth.pem -CAkey ./rootCA/metcarob_root_auth.key -CAcreateserial -out ${DOMAIN}.cert -days 500

Tags

RJM Article Type
Work Notes