$ openssl req \ > -new -newkey rsa:2048 -nodes \ > -keyout private_key.pem -out key_csr.pem Generating a 2048 bit RSA private key ......................................................+++ ......................+++ writing new private key to 'private_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:EU State or Province Name (full name) [Some-State]:state_g0 Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh Organizational Unit Name (eg, section) []:Systems Common Name (eg, YOUR name) []:g0 Email Address []:fckna@bot.ipduh.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The CSR we need to send for signing to our Certificate Authority is at key_csr.pem
Apache 2 Virtual Host SSL setup
Let's name the public key certificate that our Certificate Authority signed: signed_public.pem
Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs #cp private_key.pem /etc/ssl/private
Enable mod_ssl
# cd /etc/apache2/mods-available/ # a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration!
Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf
Listen 192.0.2.44:80
NameVirtualHost 192.0.2.44:80
<IfModule mod_ssl.c>
Listen 192.0.2.44:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 192.0.2.44:443
</IfModule>
Configure the Virtual Hosts:
#head -7 ssl.example.netServerAdmin admin@example.net DocumentRoot /var/www/example.net SSLEngine on SSLOptions +StrictRequire SSLCertificateFile /etc/ssl/certs/signed_public.pem SSLCertificateKeyFile /etc/ssl/private/private_key.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
or
#head -9 ssl.alt.example.netServerAdmin admin@example.net DocumentRoot /var/www/example.net SSLEngine on SSLOptions +StrictRequire SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/certs/signed_public.pem SSLCertificateKeyFile /etc/ssl/private/private_key.pem # SSLCertificateChainFile # SSLCACertificateFile SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE
-----------------------
The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.
ref:
Apache 2 mod_ssl
Private Key and Certificate Signing Request CSR
