Creating and Requesting SSL Certificates
One of the less common server tasks during the year is the setup and maintenance of SSL certificates for web services. There has always been the air of dread when this comes around but I’m not too sure where the reason for that comes from. The process is simple enough to go through and you have two choices in how you use SSL.
You can either generate your own certificate which will cause the users browser to prompt (this is by design, you’re not a certificate authority) or you can purchase a certificate from an authority such as Verisign. Most of the larger certificate authorities are accepted by 99% of browsers. There are various levels of certificate validation which include domain validation (providing you own the domain), extended validation (proving you are a business/individual) and enterprise level validation.
The first thing you will need to do is generate your own key if you haven’t done so already. Using the openssl program you can generate your own key using the following command:
openssl genrsa -des3 -out my.key 2048<br />
This will generate a private key for you using 2,048 bits of encryption. Some certificate authorities require this level of encryption.
Now that you have your own identity key you can create a Certificate Signing Request (CSR). This is a request to an authority to create a certificate on your behalf. The program will ask you a series of questions that you need to answer. The most important of these is the FQDN field which must match the site you’re securing. Again, using OpenSSL you can use this command to generate your CSR:
openssl req -new -key my.key -out my.csr<br />
If you want to generate your own self signed certificate then you can use the following OpenSSL command to do so. This generates a certificate that is valid for 365 days from today:
openssl x509 -req -days 365 -in my.csr -signkey my.key -out my.crt<br />
If for any reason you would like to remove the passphrase/password from your private key, you can do so using the command:
openssl rsa -in www.key -out new.key