Private Key and Certificate Signing Request CSR

To generate the private key and the Certificate Signing Request ( CSR )

$ openssl req \
> -new -newkey rsa:2048 -nodes \
> -keyout private_key.pem -out key_csr.pem
Generating a 2048 bit RSA private key
......................................................+++
......................+++
writing new private key to 'private_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EU
State or Province Name (full name) [Some-State]:state_g0
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:g0
Email Address []:fckna@bot.ipduh.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 



The CSR we need to send for signing to our Certificate Authority is at key_csr.pem

Apache 2 Virtual Host SSL setup

Let's name the public key certificate that our Certificate Authority signed: signed_public.pem

Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs
#cp private_key.pem /etc/ssl/private


Enable mod_ssl
# cd /etc/apache2/mods-available/
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!


Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf

Listen 192.0.2.44:80
NameVirtualHost 192.0.2.44:80

<IfModule mod_ssl.c>
    Listen 192.0.2.44:443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 192.0.2.44:443
</IfModule>



Configure the Virtual Hosts:

#head -7 ssl.example.net

 ServerAdmin admin@example.net
 DocumentRoot /var/www/example.net
 SSLEngine on
 SSLOptions +StrictRequire
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


or
#head -9 ssl.alt.example.net

 ServerAdmin admin@example.net
 DocumentRoot /var/www/example.net
 SSLEngine on
 SSLOptions +StrictRequire
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem  
      #  SSLCertificateChainFile 
      #  SSLCACertificateFile 
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"




Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE
-----------------------

The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.


ref:
Apache 2 mod_ssl



Private Key and Certificate Signing Request CSR