Public SSL for Apache

Most commercial certificate authorities have good documentation on how to make a simple certificate request. Here are my own generic steps for RHEL 6 and beyond.

On RHEL systems I always store my private keys and certificates for SSL under /etc/pki/tls (this is something I started doing way back on RHEL 4, even before it became the standard for Red Hat systems in RHEL 6, taking my que from then current Fedora releases).

For the most common use, a cert for an Apache web server, you’ll first need to create a key:

openssl genrsa -out private/www.example.com.key 2048

The resulting file will be PEM formatted text.

2048-bit keys are common nowadays, in fact most commercial CAs require them. CPU’s are a lot more powerful than those old sub-1GHz Sparc or PowerPC chips.

Then make the request:

openssl req -new -key private/www.example.com.key -out www.example.com.csr

The openssl tool will prompt for two-letter country code, full state/province name, city, organization, org sub unit (like a department) and “common name”. The latter is usually the name of the site, like “www.example.com”, unless you’re doing a wildcard cert.

Be sure to read both the vendor’s and your server application’s instructions carefully if you choose to get the more expensive wildcard cert. Just putting an asterisk in place of the subdomain (“*.example.com”) may not work in all use cases.

The resulting .csr file will be PEM formatted text that can be copied and pasted into the CA’s web request interface or uploaded to them as a file.

Once you’ve got your signed server cert back from the CA you’ll usually need to download or create an intermediate cert file to go along with the server cert. Most commercial CAs require intermediate certs and will usually make a “server chain” (two or more PEM formatted certificates stacked in the same file).

I always put my server and chain cert files under /etc/pki/tls/certs and reference them in my Apache /etc/httpd/conf.d/ssl.conf file. If my server will be hosting multiple SSL vhosts I’ll of course have different server keys and certs for each, referenced in the appropriate vhost block using the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile directives.

This entry was posted in Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).