Day: July 10, 2016

Creating Self-Signed Certs on Apache 2.2

Creating Self-Signed Certs on Apache 2.2

This page will walk though the process of creating a secure Self_Signed Certificate for Apache2. In order to get started you will need to make sure that OpenSSL is installed. If it is not install, refer to the site: http://www.openssl.org on how to install the software.

===== Getting Started =====

Need to generate a key. So will enter the fallowing command:


openssl genrsa -des3 -out newca.key 4096

After awhile it will prompt you to enter the fallowing information:

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:


Create a certificate and sign it. This example certificate will last 365 days:
openssl req -new -key newca.key -out newca.csr
openssl x509 -req -days 365 -in newca.csr -signkey newca.key -out newca.crt

===== Getting around Apache prompt =====

If the cert is protected with a password, by default Apache will prompt for the password when it starts. This can be a problem since you will need to enter the password each time Apache is restarted. We can fix this by having Apache call a program that gives the password to Apache. Will create a script in /etc/apache2/ssl name password.sh. Then add the fallowing into the script:

^ /etc/apache2/ssl/password.sh ^
| #!/bin/bash |
| echo ‘password’; |

Change the password to something better. For example: idon7kn0w or ugh1d0ntl1kepassw0rd5

In you Apache config files edit where the SSLPassPhraseDialog is at and add exec:/etc/apache/ssl/password.sh

^ /etc/apache2/modules.d/40_mod_ssl.conf ^
| exec:/etc/apache/ssl/password.sh |
| |


SSLPassPhraseDialog exec:/etc/apache2/ssl/password.sh

Now the needs to be executable:

chmod a+x /etc/apache2/ssl/password.sh

If the SSLPassPhraseDialog does not work, Then you will need to generate and key and cert that will not prompt for a password. To do that enter the fallowing commands and copy the key into your apache ssl folder.


openssl rsa -in newca.key -out newca.key.insecure
mv newca.key newca.key.secure
mv newca.key.insecure newca.key

Source: http://www.tc.umn.edu/~brams006/selfsign.html

%d bloggers like this: