Difference between revisions of "SSL-self-signed-certificate-creation-and-config"

From Wiki at Neela Nurseries
Jump to: navigation, search
(2017-07-24 - On Neela wiki page, Ted putting up first notes of SSL self-signed certificate creation - TMH)
m (2017-07-25 - Ted adding section on certificate authorities and CertBot, a recommended ACME client mentioned at https://letsencrypt.org.)
Line 146: Line 146:
<!-- comment -->
== Certificate Authorities and CertBot ==
*  https://certbot.eff.org/
*  https://certbot.eff.org/#ubuntuxenial-apache
<!-- comment -->

Revision as of 18:31, 25 July 2017

- 2017-07-20 Thursday -

Ted's first finding of instructions on setting up SSL and configuring Apache2 web server to use this encrypted protocol library:

Copy of summary of steps from above instructions on-line:

Here's what we're going to do, in order:

  1. Make sure Apache has SSL enabled.
  2. Generate a certificate signing request (CSR).
  3. Generate a self-signed certificate.
  4. Copy the certificate and keys we've generated.
  5. Tell Apache about the certificate.
  6. Modify the VirtualHosts to use the certificate.
  7. Restart Apache and test.


Note From SSL Config On Generic Server



ted@localhost:~$ sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!


ted@localhost:~$ # https://www.linux.com/learn/creating-self-signed-ssl-certificates-apache-linux
ted@localhost:~$ # STEP 2
ted@localhost:~$ sudo openssl req -new > new.ssl.csr
Generating a 1024 bit RSA private key
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Portland
Organization Name (eg, company) [Internet Widgits Pty Ltd]:General Industry
Organizational Unit Name (eg, section) []:Web and CMS
Common Name (eg, YOUR name) []:Ted Havelka
Email Address []:ted@general-industry.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

Checking for new files . . .

ted@localhost:~$ ls -lt
total 60
-rw-r--r-- 1 ted  ted    720 2017-07-20 12:22 new.ssl.csr
-rw-r--r-- 1 root root   963 2017-07-20 12:22 privkey.pem
drwxr-xr-x 2 ted  ted   4096 2017-05-05 15:08 archive


ted@localhost:~$ sudo openssl rsa -in privkey.pem -out new.cert.key
Enter pass phrase for privkey.pem:
writing RSA key

ted@localhost:~$ sudo openssl x509 -in new.ssl.csr -out new.cert.cert -req -signkey new.cert.key -days 365
Signature ok
subject=/C=US/ST=Oregon/L=Portland/O=General Industry/OU=Alta/CN=Ted Havelka/emailAddress=ted@general-industry.com
Getting Private key

ted@localhost:~$ sudo cp new.cert.cert /etc/ssl/certs/server-localhost.crt
[sudo] password for ted:
ted@localhost:~$ sudo cp new.cert.key /etc/ssl/private/server-localhost.key

Checking permissions of newly created private key file:

ted@localhost:/etc/ssl$ sudo su
# id
uid=0(root) gid=0(root) groups=0(root)
# cd private/
# ls -l
total 8
-rw-r--r-- 1 root root      887 2017-07-20 14:15 server-localhost.key
-rw-r----- 1 root ssl-cert 1679 2011-05-10 08:24 ssl-cert-snakeoil.key
# exit
ted@localhost:/etc/ssl$ ls -l /etc/ssl/certs/server-localhost.crt
-rw-r--r-- 1 root root 993 2017-07-20 14:14 /etc/ssl/certs/server-localhost.crt

Certificate Authorities and CertBot

top of page