Generating an SSL certificate

An SSL certificate can easily be generated on your FreeBSD machine using OpenSSL. Before you can create one you must create a SSL Certificate of Authority. Then with your CA you can generate a certificate request and then the certificate following the steps below.

This tutorial uses the SSL settings and directories from the CA tutorial found here.

This tutorial will give the example of creating a cert for this web site. Change the file names to that of your own domain. Commands shown will slashes are to break them down to fit on the page, they are not needed. To create a new certificate request use the following command

The SSL Request

# cd ~root/sslCA
# openssl req -new -nodes \
	-out FreeBSDMadeEasy-req.pem \
	-keyout private/FreeBSDMadeEasy-key.pem \
	-config /etc/ssl/openssl.cnf

Generating a 1024 bit RSA private key
.............................++++++
.............................++++++
writing new private key to 'private/FreeBSDMadeEasy-key.pem'
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave 
some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Nebraska]:
Locality Name (eg, city) [Wahoo]:
Organization Name (eg, company) []: FreeBSD Made Easy
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: *.freebsdmadeeasy.com
Email Address []: ssl@freebsdmadeeasy.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Enter *.yourdomain for the common name if you wish to use this cert for all subdomains also, otherwise just enter the full address of the web server.

If you enter a challenge password you will be prompted for the password everytime Apache starts or your server reboots.

You should now have two files: ~root/sslCA/FreeBSDMadeEasy-req.pem and ~root/sslCA/private/FreeBSDMadeEasy-key.pem

Generating the SSL Certificate

# openssl ca 
	-config /etc/ssl/openssl.cnf
	-out FreeBSDMadeEasy-cert.pem \
	-infiles FreeBSDMadeEasy-req.pem

The certificate will be good for 365 days by default. Once it expires you will need to generate a new one. You can change the length by adding the -days <num> option. For example -days 3650 will make the certificate good for 10 years.

Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /root/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Aug  5 02:51:42 2006 GMT
            Not After : Aug  2 02:51:42 2007 GMT
        Subject:
            countryName = US
            stateOrProvinceName = Nebraska
            organizationName = FreeBSD Made Easy
            commonName = *.freebsdmadeeasy.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                8B:48:A5:3A:C7:EA:9A:B3:61:9F:AC:B9
            X509v3 Authority Key Identifier:
                keyid:F8:D3:77:0C:78:6D:87:20:00:BF
                DirName:/C=US/ST=Nebraska/L=Wahoo
                /O=FreeBSD Made Easy
                /CN=*.freebsdmadeeasy.com
                serial:E5:A5:39:3F:6E:63:FA:7E

Certificate is to be certified until 
Aug  2 02:51:42 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

You will be prompted for the CA password above.

Once it completes you will have two files: ~root/sslCA/FreeBSDMadeEasy-cert.pem which is the certificate and ~root/sslCA/newcerts/1000.pem is a copy of it in the certs directory. The number will be taken from the serials file.

Copying the Certificate and Key

If you don't have a place for your cert and key already create the following directories.

# mkdir /etc/ssl/crt
# mkdir /etc/ssl/key

Copy in your new cert and key from the sslCA directory.

# cp ~/sslCA/FreeBSDMadeEasy-cert.pem /etc/ssl/crt
# cp ~/sslCA/private/FreeBSDMadeEasy-key.pem /etc/ssl/key

Adding the SSL Virtual Host

In Apache 2.2.x you need to include the SSL config file by unhashing the line like this in the httpd.conf file.

# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf

If you have an httpd-ssl.conf file use it for the following steps, otherwise in your /usr/local/etc/apache2/httpd.conf file or a new one in Includes create a vhost like the follwing.

<VirtualHost *:443>
ServerName ssl.freebsdmadeeasy.com
SSLEngine on
SSLCertificateFile /etc/ssl/crt/FreeBSDMadeEasy-cert.pem
SSLCertificateKeyFile /etc/ssl/key/FreeBSDMadeEasy-key.pem

DocumentRoot /usr/local/www/FreeBSDMadeEasy-SSL        
CustomLog /usr/local/www/logs/ssl-access_log combined
ErrorLog /usr/local/www/logs/ssl-error_log
</VirtualHost>

Restart Apache and open the domain in your web browser with https:// to test it. You can also attempt to telnet into the SSL port on apache to make sure that ssl is enabled and listening.

# apachectl restart
# telnet localhost:443

Comments