ApacheSSL

Um ein Zertifikat bei Thawte zu bestellen bitte diese Dokumentation lesen

• apache_3q03.pdf

# Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):

$ openssl genrsa -des3 -out server.key 1024

Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:

$ openssl rsa -noout -text -in server.key

And you could create a decrypted PEM version (not recommended) of this RSA private key via:

$ openssl rsa -in server.key -out server.key.unsecure

# Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

$ openssl req -new -key server.key -out server.csr

Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command

$ openssl req -noout -text -in server.csr

# You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have two options: First you can let the CSR sign by a commercial CA like Verisign or Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look at the LinksSection of this site.

note about passphrases taken from [[http://www.thawte.com]]

# start note If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.

Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password! # end of thawte text

Links

• commercial CA

  • http://www.thawte.com

  • http://www.verisign.com

• free CA

  • http://www.ccc.de