You are here

Create your own SSL certificate

Affects version(s): 
6.x and newer

This article is about SSL server certificates to be used for Virtual Host in production. The following paragraphs describe how to generate a keypair, create a certificate signing request or a self signed certificate and install the certificate issued by the authority. You should already have basic knowledge of SSL certificates.

You do not need an official server certificate to test your server with SSL enabled.  Airlock contains a (self-signed) test certificate which is available for each Virtual Host. The only disadvantage is that the browser will display a warning.

Preparation

You should have the following things ready before creating a key and requesting a certificate:

  • Fully qualified name of the Virtual Host: e.g. www.ergon.ch. This name will be contained in the certificate as Common Name (CN).
  • A good password for encrypting the private key

Create own openssl config file

Create a openssl config file openssl.conf with following command:

# ssh root@airlock
# cat > /opt/airlock/custom-settings/openssl.conf << EOF 
[ req ]
default_bits                    = 2048
distinguished_name              = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country Name (eg, CH)
countryName_default             = Country
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name
stateOrProvinceName_default     = State
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name
0.organizationName_default      = Internet Widgits Pty Ltd
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name (eg, FQDN)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64
EOF

Add the option -config /opt/airlock/custom-settings/openssl.conf to your openssl call if you like to use this customized openssl.conf, e.g.:

# openssl req -config /opt/airlock/custom-settings/openssl.conf -new -days 365 -key host.key -out host.csr

Create a pair of keys

Let's now start by generating a private and a public key. The public key can be derived from the private key, but the other way around is only possible with brute force. The private key is security sensitive and must be kept secret. That's why it is normally encrypted with a passphrase (a password long and secure enough for such a critical piece of information).

2048 bit should be a safe key length for the next few years. Choose your passphrase wisely as no one will be able to recover the private key without it (in this case it will be triple-des encrypted):

# ssh root@airlock
# cd /tmp
# openssl genrsa -des3 -out host.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
...................................................................+++
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying - Enter pass phrase: ********

If you do not need a passphrase protected key, ommit the option -des3 in the command above.

You should now have a passphrase-protected private key in the file host.key. This key is PEM-encoded and can be copied as text from the command line to your pc.

Make a safe backup of the key file. If you did not encrypt it with a strong password, you have to protect the key with another mechanism.

Request a certificate

Before buying an official certificate from a Certificate Authority (CA) like Verisign, Entrust, Thawte etc., you have to create a file called Certificate Signing Request (CSR). Call the CSR command as shown below. It will ask you for the private key passphrase. After that, you must provide the details for your certificate (do not enter extra attributes at the prompt).

# openssl req -new -key host.key -out host.csr
Enter pass phrase for host.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:CH
State or Province Name (full name) [Some-State]:ZH
Locality Name (eg, city) []:Zuerich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG
Organizational Unit Name (eg, section) []:Internet
Common Name (FQDN) []:www.mycompany.ch
Email Address []:admin@mycompany.ch

Now send the contents of the file host.csr to the certificate authority. If you have any questions, ask your certificate authority first. If they want to know what type of web server you have, tell them it's an Apache with mod_ssl.

Are you afraid of wasting money by providing the wrong data? Why not test with a free 30 day fully functional trial certificate? These are offered for example by RapidSSL.

When creating a CSR, you must follow some conventions. The following characters must not be used: < > ~ ! @ # $ % ^ * / \ ( ) ? . , & (the '@' and '.' characters are allowed for the email address).

Self signed certificate

If you want to create your own self signed certificate, use following command:

# openssl req -new -key host.key -out host.cert -x509 -days 365
Enter pass phrase for host.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:CH
State or Province Name (full name) [Some-State]:ZH
Locality Name (eg, city) []:Zuerich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG
Organizational Unit Name (eg, section) []:Internet
Common Name (FQDN) []:www.mycompany.ch
Email Address []:admin@mycompany.ch

Install the issued server certificate and its certificate chain

As soon as you receive the certificate from your CA, you have all together to configure your Virtual Host on the admin interface of  Airlock. Open your Virtual Host and open the section SSL server certificate. If these settings still contain the test certificate, press the Clear SSL settings button. Now fill in the values as follows:

  • SSL server certificate:
    This is the certificate you received from your CA. It should start with
    -----BEGIN CERTIFICATE-----
    and end with
    -----END CERTIFICATE-----
    without any empty lines between or at the beginning/end.
  • Complete CA chain:
    You should have got this from your CA, too. The browser needs this chain in order to verify the server certificate. This field must contain the root CA certificate and all intermediate CA certificates (if any exist), all concatenated in any order. You will see a validation error if the server certificate and the certificate chain do not correspond with eachother.
  • Private Key:
    Paste the encrypted private key here and do not forget to fill in the passphrase field next to it.

Klick OK to save your settings.
After activating your configuration, it is recommended to test it with both Internet Explorer and Firefox. Click on your browsers lock symbol and check the data and verification messages.

Knowledge Base Categories: