Portfolio / hacktuts / apache / apache_2.x_mod_ssl_crib_sheet.txt

Apache 2.x mod_ssl/SSL Crib Sheet
1) Generate Key

openssl genrsa -des3 -out ${site-name}.key 2048

2) Generate Certificate Signing Request (CSR)

openssl req -new -key ${site-name}.key -out ${site-name}.csr

3) Submit CSR
Submit your CSR to a certificate signing authority.

4) Wait (Use a Self Signed Certificate)

openssl x509 -req -days 30 -in ${site-name}.csr -signkey ${site-name}.key -out ${site-name}.crt

5) (Optional) Remove Password on Key

When Apache restarts mod_ssl will prompt you to enter the password for any installed keys. In order
to get around this you can put your password in your configuration file or remove the password from the
key. Both are awful solutions but the latter is my current preference.

openssl rsa -in ${site-name}.key -out ${site-name}.key_nopass

6) Update SSL VHost
Depending upon your distribution you might have to adjust the path information for each entry. Also,
nowadays most Certificate Authorities (CA) use an intermediate so you'll probably need to download the
CA certificate and use it as shown on the last line.

SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/apache2/ssl/${site-name}.crt
SSLCertificateKeyFile /etc/apache2/ssl/${site-name}.key_nopass
SSLCACertificateFile /etc/apache2/ssl/CA-intermediate.crt

7) Install Signed Certificate
Replace your self-signed certificate with the one you received from your CA and restart Apache.