Using OpenSSL
From Gruff Goat Wiki
Create a temporary central directory for storage of your keys. The directories should only be readable by root.
mkdir -p /root/privatekeys chown root:root /root/privatekeys chmod 600 /root/privatekeys
Contents |
Create a Private Key
A private key is the first step for many following actions.
Generate a default RSA private key.
openssl genrsa -out /root/privatekeys/default.pem 2048
OUTPUT
Generating RSA private key, 2048 bit long modulus
...............................++++++
.++++++
Generate domain specific RSA private keys.
openssl genrsa -out /root/privatekeys/domain.pem 2048
OUTPUT
Generating RSA private key, 2048 bit long modulus
...............................++++++
.++++++
Set the private keys to read only
chmod 400 /root/privatekeys/*
Create a Security Certificate
Generate a Self-signed Certificate
You may use this key for your default server, however; it will require you to explicitly accept the certificate. This is fine for a development or private server but it is not acceptable for a public production server. A public production server requires a certificate signed by a known Certificate Authority (see the section Get a CA Signed Certificate).
Create a self-signed certificate from the private key
openssl req -new -x509 -key /root/privatekeys/default.pem -out /root/privatekeys/default.crt -days 1095
Fill in the following information.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Wisconsin Locality Name (eg, city) []:Milwaukee Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Org Name Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.mydomain.tld Email Address []:email@mydomain.tld
Set the everything to read only
chmod 400 /root/privatekeys/*
Get a CA signed Certificate
Generate a Certificate Signing Request (CSR)
Now create a CSR from the private key
openssl req -new -key /root/privatekeys/domain.pem -out /root/privatekeys/domain.csr
Fill in the following information. The Common Name you enter here must be the exact domain address that will be used to access SSL services on your server.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Wisconsin Locality Name (eg, city) []:Milwaukee Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Org Name Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.mydomain.tld Email Address []:email@mydomain.tld Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Set everything to read only
chmod 400 /root/privatekeys/*
Submit your CSR
Submit your CSR to your chosen Certificate Authority (CA). Follow their procedures to receive your newly minted certificate. You may also receive a chaining certificate. The chaining certificate allows a means of linking your low-level certificate to the CAs trusted certificate. Search Certificate Authorities.
UCC Certificate
Unified Communications Certificates (UCC) are SSL Certificates that allow securing multiple domain names with one certificate.
The CSR for a UCC is generated in the same manner as a standard certificate. The extra domain names are added by the Certificate Authority. This article does not cover creation of a self-signed UCC.
