OS Used: Linux
First written: August 2007
Last updated: August 2007
The following commands can be run on any Linux host with openssl installed.
To create a new Private Key without a passphrase.
openssl genrsa -out www.uplinkzero.com.key 1024
To create a new password protected Private Key (Remember the passphrase)
openssl genrsa -des3 -out www.uplinkzero.com.key 1024
To remove the passphrase from the password protected Private Key
openssl rsa -in www.uplinkzero.com.key -out www.uplinkzero.com.key.nopass
To create a CSR using the private key created above
openssl req -new -key www.uplinkzero.com.key -out www.uplinkzero.com.csr
Now sign the CSR with the above created Key
openssl x509 -req -days 365 -in www.uplinkzero.com.csr -signkey www.uplinkzero.com.key -out www.uplinkzero.com.crt
The CSR would normally go to a recognized Certificate Authority such a Verisign to be signed.
The signed certificate and the Key used to create it (normally the copy that isn't password protected, while less secure it means that you do not need to enter a password every time you restart apache) then both need to be installed on the web server. The key should never be sent in clear text (email) or at least not together with the certificate it was used to generate for obvious reasons.
We prefer no password in the key because otherwise when apache restarts, it will prompt us for a password. This is a problem if you have a script to restart apache if it dies, or the box is rebooted for a kernel upgrade or whatever. It's up to you.