I’ve been meaning to do a how-to on generating your own SSL/TLS certificates using StartSSL ‘s free service.
These certificates are useful for a number of different things, most notably apache/nginx SSL security. But they are also widely used with other software, for example Bacula is much nicer when all of the various daemons are talking over SSL/TLS encrypted connections.
Step 1 – get an account at StartSSL.com
Its fairly self explanatory how to get you free account and validate domains with StartSSL..if anyone is struggling with it, make a comment below and I’ll do a how-to for that.
Step 2 – generate a rsa encrypted private key for the request.
In this example, we’re going to use the Triple DES cipher (168 bit key size) and our key is going to be 2048 bits in size. The default for OpenSSL is 512 bits but StartSSL won’t accept anything less than 2048 bits.
# openssl genrsa -des3 -out bruce.example.com.key 2048 Generating RSA private key, 2048 bit long modulus ..................................................................+++ ......+++ e is 65537 (0x10001) Enter pass phrase for bruce.example.com:
So enter a passphrase (because you need to) to conclude this step. You should now have a file in your current working directory : bruce.example.com.key
Step 3 – make a passphrase-less version of your key
This is going to be important in most cases, the last thing you want to do when apache starts..is login to the console and enter a passphrase..so its handy to have a passwordless key
openssl rsa -in bruce.example.com.key -out bruce.example.com.nopass.key
You will be asked for the passphrase you previously entered, after which you will have a second file in your cwd : bruce.example.com.nopass.key
Step 4 – generate a certificate signing request
Because we’re going to want a signed certificate (by StartSSL) then we’re going to need to generate a signing request.
Note: You’re going to need to answer some questions here, make sure you change my responses for yours. Also, the Organization Name must be your machine’s FQDN
openssl req -new -sha256 -key bruce.example.com.nopass.key -out bruce.example.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) :London Locality Name (eg, city) [Default City]:London Organization Name (eg, company) [Default Company Ltd]:Xreflow Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :bruce.example.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
You should now have bruce.example.com.csr sat in your cwd.
Step 5 – get your certificate!
Sign in to your StartSSL control panel, and authenticate..you should be here
Select “Certificates Wizard” then in the dropdown select “Web Server SSL/TLS Certificate”, you should be here.
Click “Continue” and go to the next step in the wizard, where you will be given a choice to Skip This Step. You should skip that step because you’ve already generated a csr request. Now, you should be at the following screen..
Copy and paste the contents of your bruce.example.com.csr into the text area box, and click “Continue”..this information looks something like
—–BEGIN CERTIFICATE REQUEST—–
and so on…paste this into the text area, and click “Continue”, a few seconds later you will be presented with your signed SSL certificate.
Open a new file with your favourite text editor bruce.example.com.cert, and paste the copied content into that file.