SSL Howto
This is set up in three parts, each of which does about the same. The first is the only method to create a .pem file.
============================================== 1. This part is general - for configuration. See parts 2 and beyond for apache configuration ============================================== HowTo make your own Self-Signed SSL Certificate server setup: combined private key and cert ================================================================================== ### Create server key openssl genrsa -out ./server.key 1024 ### Create certificate request openssl req -new -key server.key -out server.csr FQDN: Common Name: foo.example.com or Wildcard: Common Name: *.example.con ### self sign key (increment the serial number "N" for each new cert) openssl x509 -req -days 365 -set_serial N -in server.csr -signkey server.key -out server.crt ### combine the key and cert in one PEM file for simplicity cat server.key server.crt > combined.pem ### view the details of the cert you just made openssl x509 -in combined.pem -noout -text ### copy cert into place cp combined.pem /etc/ssl/certs/ apache specific: -------------------------------------------------- edit httpd.conf and/or ssl.conf SSLCertificateFile /etc/ssl/certs/combined.pem bin/apachectl startssl ============================================ 2. Create a CA setup to sign client certs with ============================================ CA set up... for client certs not server cert... donno who ================================================================================== ### create CA key openssl genrsa -out ./ca.key 1024 ### create CA request openssl req -new -key ca.key -out ca.csr ### self-sign CA request - > CA cert openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cert ### install it in apache cp ca.crt /usr/local/apache/conf/ssl.crt/ca.crt ### edit httpd.conf SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt ======================================== 3. Setup clients for each site ======================================= client setup ================================================================================== ### create client key openssl genrsa -des3 -out client.key 1024 ### request client cert openssl req -new -key client.key -out client.csr ##Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/ #### sign client cert with CA key! openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt ### covert to opera/sn/ie format (key and cert in 1 file) openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 ### test it openssl s_client -host example.com -port 443 -key client.key -cert client.crt ### print out cert contents openssl x509 -noout -text -in client.crt ### print out key contents (useless?) openssl rsa -noout -text -in client.key If you want to unencrypt the server key (which it needs to start up apache - and you don't want it with a password) then in /opt/httpd/conf/ssl.keys/ do mv server.key server.key.pass openssl rsa < server.key.pass > server.key another source: http://www.pseudonym.org/ssl/ssl_ca.html ================================== 4. Apache2.2 general configurarion options - put them in a seperate file (eg. httpd-ssl.conf) and include them in apache2.conf ================================= SSLMutex default SSLSessionCache none SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache shmcb:/var/log/apache2/ssl_scache(512000) SSLSessionCacheTimeout 15 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL SSLCACertificateFile /etc/ssl/certs/tripsoapca.crt CustomLog /var/log/apache2/ssl.log "%t %{version}c %{cipher}c %{clientcert}c" ===================================== 5. Apache 2.2 client ===================================== Add the following lines to the virtualhost file in /etc/apache2/ssl-sites-enabled/client.conf SSLEngine On SSLCertificateFile /etc/ssl/certs/client.crt SSLCertificateKeyFile /etc/ssl/private/client.key ======================================== 6. Weird errors ======================================== Make sure every virtualhost configuration file has the lines NameVirtualHost 123.123.123.123:80 or NameVirtualHost 123.123.123.123:443 (if SSL) VirtualHost <123.123.123.123:80> or VirtualHost <123.123.123.123:443> in them These are no longer global server directives! You can of course also set up two default 'catch all' sites with NameVirtualHost *:80 or NameVirtualHost *:443 (if SSL) VirtualHost <*:80> or VirtualHost <*:443> in the configuration files. Otherwise you'll get errors like [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) or [error] VirtualHost 82.94.91.76:80 mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results