Apache SSL Key and CSR Generation Instructions

ApacheSSL is a first-class, free, well-supported web server. You can learn more about it at http://www.apache-ssl.org/. It is based on the ubiquitous Apache server, and uses the excellent SSLeay / OpenSSL libraries to add full-strength crypto, anywhere in the world. SSLeay was originally developed by Eric Young. The OpenSSL Group is now continuing that work, hence the renaming of the library to OpenSSL.

Versions
In order that your ApacheSSL server work with our certificates you must have compiled it against a recent version of OpenSSL. We recommend that you use the latest version of both ApacheSSL and OpenSSL. 

Key and CSR Generation
The utility "openssl" that you use to generate the key and CSR comes with OpenSSL and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to modify these instructions appropriately.

The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do NOT overwrite existing keys and CSR's:

Step 1. Go to your SSL directory
cd /usr/local/ssl/private

Step 2. Generate a private key
openssl genrsa -des3 1024 > www.apatv.net.key
Now PLEASE backup your www.apatv.net.key and make a note of the passphrase. Losing your key will cost you money!

Step 3. Go to your certs directory
cd /usr/local/ssl/certs

Step 4. Generate a CSR from your key
openssl req -new -key ../private/www.apatv.net.key > http://www.apatv.net.csr/

Step 5. Generate a self-signed certificate
openssl req -x509 -key ../private/www.apatv.net.key -in www.apatv.net.csr > www.apatv.net.crt

NOTE: When asked for your Common Name, enter the exact domain name of your web server you want to secure (i.e. "www.foo.com" or "secure.foo.com"). The prompt on some standard OpenSSL distributions asks for "YOUR name", this is your Common Name.

Passphrases
If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.

Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password!

Submitting your CSR
The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with ApacheSSL. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----

Installing the certificate
The file www.virtualhost.com.crt is your self-signed certificate. You use it as a temporary certificate while you are waiting for a real certificate from Thawte. You install it by updating your ApacheSSL config for that virtualhost as follows:

SSLCertificateFile    /usr/local/ssl/certs/www.virtualhost.com.crt

SSLCertificateKeyFile /usr/local/ssl/private/www.virtualhost.com.key

When you receive your certificate, you will install it in place of your self-signed cert at /usr/local/ssl/certs/www.virtualhost.com.crt

For your Thawte cert (or renewed cert) to take an effect,  you can also try to restart the entire server and not just the daemon. 

Note for Cobalt users:  It is essential to restart the entire server after installing your certificate.

Setting up SSL
You configure your server using the httpd.conf file. Under your virtual host, enable SSL, on port 443, and make sure each virtual host has it's own IP (SSL does not support name based virtual hosts). You will have to change the links to your secure site to https.

FAQs
Please go to our support site for the most frequently asked questions about ApacheSSL