Account Links: Cart | Your Account | Logout

Skip to content

Red Hat Knowledgebase

Red Hat Knowledgebase Search:

Updated Within the Last:

New Solutions within the last day New Solutions within the last week New Solutions within the last month

Browse by topics:


Click to View a Topic
Red Hat Enterprise Linux > Web Server > Issue <<  22 of 73 >>

Solution Tools:


Email a Solution Postcard Printer version Submit a comment on this answer Update notifications Request an answer Back

Article Reference

Article ID: 9497
Last update: 11-07-06
Issue:
How can I generate SSL certificates for the web sites hosted on apache web server?
Resolution:

While Red Hat includes a simplistic tool (a Makefile) to generate SSL certificates, it is deprecated for sites where there is a need to specify a password with each httpd startup or for servers with multiple certificates.

This process can be accomplished with the OpenSSL package provided by Red Hat Enterprise Linux. The following items are required for SSL with Apache:

  • SSL .key file -- This is the private key. It may be created with a passphrase but this is not recommended as it requires a passphrase entry when the httpd service is started and with multiple entries (keys) it can cause httpd not to start.
  • SSL .csr File -- If there is a plan to have the certificate signed, this is the Certificate Signing Request that is needed. It is transmitted to a company such as "VeriSign" where they will complete a verification process and give back a final .crt file. A "self-sign" certificate can also be created. This *will* trigger a warning in web browsers telling the surfer that the certificate's authenticity cannot be verified. Many browsers can then be configured to "remember" this certificate and not trigger the error in the future.
  • SSL .crt File -- This is the public key. It is automatically transmitted to anyone who attempts an https:// connection to the web server in question. Only the private .key file may be used to decrypt the messages the browser sends to the server.

To generate an SSL key without a passphrase (recommended), use a command such as this: 

openssl genrsa -out /etc/httpd/conf/ssl.key/domain-name.com.key 1024

To request the official certificate, generate a .csr file like this: 

openssl req -new -key /etc/httpd/conf/ssl.key/domain-name.com.key -out /etc/httpd/conf/ssl.csr/domain-name.com.key.csr

Enter the information when the prompt appears. Enter a "Common Name", which is *MUST*, that matches the exact hostname which is to be used for the SSL site. For example, if customers are required to be able to connect to https://www.mycompany.com then enter "www.mycompany.com" as the "Common Name".

If self-signed certificate is required be created (which is useful in a testing scenario), execute the following: 

openssl req -new -key /etc/httpd/conf/ssl.key/domain-name.com.key -x509 -out /etc/httpd/conf/ssl.crt/domain-name.com.crt -days 999


How well did this entry answer your question?


good wrong incomplete out of date
Red Hat Enterprise Linux > Web Server > Issue <<   22  of  73  >>