How to Generate SSL Key, CSR and Self Signed Certificate for Apache


If you want to run your website from on HTTPS instead of HTTP, you need to get a SSL certificate from a valid organization like VeriSign or Thawte. You can also generate self-signed SSL certificate for testing purpose.

In this article we will learn how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

I will use the following naming convention in this article.

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out http://www.alexsite.com.key 1024

Generating RSA private key, 1024 bit long modulus

……………………………………………++++++

……………………………………………++++++

e is 73547 (0x01001)

Enter pass phrase for http://www.alexsite.com.key:

Verifying – Enter pass phrase for http://www.alexsite.com.key:

 # ls -ltr http://www.alexsite.*

-rw-r–r– 1 root root   963 Jun 13 20:26 http://www.alexsite.com.key

The generated private key looks like the following.

# cat http://www.alexsite.com.key

—–BEGIN RSA PRIVATE KEY—–

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,485B3C6371C9916E

ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2

jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no

AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY

KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr

—–END RSA PRIVATE KEY—–

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key http://www.alexsite.com.key -out http://www.alexsite.com.csr

Enter pass phrase for http://www.alexsite.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank. For some fields there will be a default value,If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:IN

State or Province Name (full name) [Berkshire]:UP

Locality Name (eg, city) [Newbury]:Noida

Organization Name (eg, company) [My Company Ltd]:Alex Ltd

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server’s hostname) []: alexsite

Email Address []:alexhunt86@live.com

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

 # ls -ltr http://www.alexsite.*

-rw-r–r– 1 root root   963 Jun 13 20:26 http://www.alexsite.com.key

-rw-r–r– 1 root root   664 Jun 13 20:35 http://www.alexsite.com.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in http://www.alexsite.com.csr -signkey http://www.alexsite.com.key -out http://www.alexsite.com.crt

Signature ok

subject=/C=IN/ST=UP/L=Noida/O=alexsite/OU=IT/CN=www.alexsite.com

Getting Private key

Enter pass phrase for http://www.alexsite.com.key:

 # ls -l http://www.alexsite*

-rw-r–r– 1 root root   963 Jun 13 20:26 http://www.alexsite.com.key

-rw-r–r– 1 root root   664 Jun 13 20:35 http://www.alexsite.com.csr

-rw-r–r– 1 root root   879 Jun 13 20:43 http://www.alexsite.com.crt

 # cat http://www.alexsite.com.crt

—–BEGIN CERTIFICATE—–

haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB

kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ

kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29

—–END CERTIFICATE—–

4. Get a Valid Trial SSL Certificate (Optional)

Instead of signing it yourself, you can also generate a valid trial SSL certificate from Thawte. I.e. Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte.

This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.

Go to Thwate trial certificate request page and do the following:

  • Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
  • Do not check the PKCS #7 check-box under the “configure certificate”
  • Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
  • Click on next at the bottom, which will give you a 21-day free trial certificate.

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in Apache. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s