SSL Certificates

I’ve been meaning to do a how-to on generating your own SSL/TLS certificates using StartSSL ‘s free service.

These certificates are useful for a number of different things, most notably apache/nginx SSL security. But they are also widely used with other software, for example Bacula is much nicer when all of the various daemons are talking over SSL/TLS encrypted connections.

Step 1 – get an account at StartSSL.com

Its fairly self explanatory how to get you free account and validate domains with StartSSL..if anyone is struggling with it, make a comment below and I’ll do a how-to for that.

Step 2 – generate a rsa encrypted private key for the request.

In this example, we’re going to use the Triple DES cipher (168 bit key size) and our key is going to be 2048 bits in size. The default for OpenSSL is 512 bits but StartSSL won’t accept anything less than 2048 bits.

# openssl genrsa -des3 -out bruce.example.com.key 2048

Generating RSA private key, 2048 bit long modulus
..................................................................+++
......+++
e is 65537 (0x10001)
Enter pass phrase for bruce.example.com:

So enter a passphrase (because you need to) to conclude this step. You should now have a file in your current working directory : bruce.example.com.key

Step 3 – make a passphrase-less version of your key

This is going to be important in most cases, the last thing you want to do when apache starts..is login to the console and enter a passphrase..so its handy to have a passwordless key

 openssl rsa -in bruce.example.com.key -out bruce.example.com.nopass.key 

You will be asked for the passphrase you previously entered, after which you will have a second file in your cwd : bruce.example.com.nopass.key

Step 4 – generate a certificate signing request

Because we’re going to want a signed certificate (by StartSSL) then we’re going to need to generate a signing request.

Note: You’re going to need to answer some questions here, make sure you change my responses for yours. Also, the Organization Name must be your machine’s FQDN

openssl req -new -sha256 -key bruce.example.com.nopass.key -out bruce.example.com.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:London
Locality Name (eg, city) [Default City]:London
Organization Name (eg, company) [Default Company Ltd]:Xreflow
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:bruce.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You should now have bruce.example.com.csr sat in your cwd.

Step 5 – get your certificate!

Sign in to your StartSSL control panel, and authenticate..you should be here

StartSSL Control Panel

Select “Certificates Wizard” then in the dropdown select “Web Server SSL/TLS Certificate”, you should be here.

StartSSL Control Panel

Click “Continue” and go to the next step in the wizard, where you will be given a choice to Skip This Step. You should skip that step because you’ve already generated a csr request. Now, you should be at the following screen..

Copy and paste the contents of your bruce.example.com.csr into the text area box, and click “Continue”..this information looks something like

—–BEGIN CERTIFICATE REQUEST—–
MIICojCCAYoCAQAwXTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0G
A1UEBwwGTG9uZG9uMRAwDgYDVQQKDAdYcmVmbG93MRowGAYDVQQDDBFicnVjZS5l
eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+qWXgv
nmoWOt5ASEsOF1s61jAyGKMIIiAt9NUMWv53rEEy5ZZ8FVjOVm3o1ooRemMF35j2
Hv8hb2ay9YrJsA6jKJcdajiGrQXWa7FCY24UmfpXqUiA3AmPOv9+t66yG9QIvuhU
InRrM9qLVPPH0bA3itkEJqp1bDQXX3uVRyU5SCutvBZLLrMT0nRIfbPFnPDwQ0b7

and so on…paste this into the text area, and click “Continue”, a few seconds later you will be presented with your signed SSL certificate.

Open a new file with your favourite text editor bruce.example.com.cert, and paste the copied content into that file.

Step 5 – You’re done! go use your newly created, signed SSL/TLS certificate!