Saskatoon Linux Group | RecentChanges | Preferences

I only do this once per year, and it's always a chore to remember how. Perhaps it will help someone else as well.

These instructions work with Debian's apache-ssl package. (I think that's _not_ mod-ssl)

First, generate a server key:

 openssl genrsa -out my.domain.com.key 1024

This file should be chmodded to 0400. You should also make a backup of this file in a safe place.

This will create a key without a passphrase. If you want a passphrase, add -des3 after genrsa. If you do this, you will need to type in the passphrase every time you restart your webserver.

Next, generate the CSR:

 openssl req -new -key my.domain.com.key -out my.domain.com.csr

It will ask you questions... the critical one is "Common Name (eg Your Name)" The correct answer to that is the full name of your webserver. (i.e. www.slg.org or ssl.waldetech.ca Don't add https:// )

You can verify the info in the CSR:

 openssl req -noout -text -in my.domain.com.csr

Send the csr file to your CA. (at GoDaddy?, you paste it into a box on their website. IIRC, GeoTrust? was the same.)

Your CA should send you back a certificate file. (.cer) Place that file on your webserver. chmod it to 0400.

Add these lines to your apache-ssl/http.conf file:

 SSLCertificateFile? /etc/apache-ssl/my.domain.com.cer
 SSLCertificateKeyFile? /etc/apache-ssl/my.domain.com.key

Restart your webserver and you should be good to go.

Saskatoon Linux Group | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited October 13, 2005 12:12 pm (diff)