Grrrrrr, some of our SSL certificates had expired on a linux server today. And, like very time I have to renew an SSL on a linux machine, there was a bit of trial and error as I tried to remember how I did it the last time.
So here’s a refresher for me and notes for anyone doing this for the first time.
SSL uses x2 keys for encryption and decryption. you create the private key on your linux server, and then use this to create a certificate signing request (csr). you then use the csr with a 3rd party certificate authority to create your certificate or public key.
the math involved is pretty heavy but this guy explains it really well using a tiny prime number so you can follow (hopefully).
First, generate your private key on the server using
openssl genrsa -out <sitename>.key 2048
replace <sitename> with the name of your site, this will help you to tell different keys apart. The 2048 at the end says how many bits in size you want the key to be, no smaller than 2048.
Next, we use the private key to create the certificate signing request (csr)
openssl req -new -key <sitename>.key -out <sitename>.csr
openssl will ask you some questions about the csr, important notes:
The country code is ‘GB’ for the United Kingdom, not ‘UK’ !!!!
The ‘Common Name’ is the url for the site you are securing (i.e. www.sporticia.com)
Remember the password you use when you create the csr, you will need it to install the certificate you create from the csr
BACKUP YOUR .key and .crt files ! if you loose them, you will have to start all over again
You can now take your .csr file along to a 3rd party certificate authority (Thwate, Go Daddy, VeriSign etc. etc.) and use it to generate your private key (.crt or certificate file).
Next post will explain how to use the keys with apache to secure the site.
