Generate Ssl Key And Certificate

SSL’s primary function on the Internet is to facilitate encryption and trust that allows a web browser to validate the authenticity of a web site. However, SSL works the other way around too – client SSL certificates can be used to authenticate a client to the web server. Think SSH public/private key pairs, if that is familiar to you. In this blog post I will outline the steps to create a certificate authority certificate, sign a server certificate and install it in Apache, and create a client cert in a format used by web browsers.

Installing an operating system and Apache is outside the scope of the blog post and I assume you have a functioning Apache install before we get started. I am using an Ubuntu 12.04.4 system in this blog post.

Generate a certificate authority (CA) cert

Certificate

The first step is to generate a CA certificate. This CA certificate does not need to be generated on your web server – it can sit on whatever machine you will use to generate SSL certificates. Once created, the CA cert will act as the trusted authority for both your server and client certs. It is the equivalent of the Verisign or Comodos in the real world of SSL, however you wouldn’t want to use your CA cert for a major public website as its trust isn’t going to be built into browsers everywhere.

Generate your CA certificate using this command:

Then keep them secret – keep them safe. If someone were to get a hold of these files they would be able to generate server and client certs that would be trusted by our web server as it will be configured below.

We generate certificates using their ACME server by using domain validation. Private Keys are generated in your browser and never transmitted. For browsers which support Web Cryptography (all modern browsers) we generate a private key in your browser using the Web Cryptography API and the private key is never transmitted. Step Two: Create a New Certificate. Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data. How to generate an SSL CSR or self signed SSL certificate Overview. The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process. Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Sep 12, 2014 Generate a Private Key and a CSR. Use this method if you want to use HTTPS (HTTP over TLS) to secure your Apache HTTP or Nginx web server, and you want to use a Certificate Authority (CA) to issue the SSL certificate. The CSR that is generated can be sent to a CA to request the issuance of a CA-signed SSL certificate. Generate a SSL Encryption Key and Certificate To use a SSL-encrypted HTTP connection (HTTPS), as well as other types of SSL-encrypted communication, you need a signed encryption certificate. You can purchase a certificate from a Certificate Authority (CA), or you can use a self-signed certificate.

Generate your Apache server SSL key and certificate

Now that we have our CA cert, we can generate the SSL certificate that will be used by Apache.

  1. Generate a server private key.
  2. Use the server private key to generate a certificate generation request.
  3. Use the certificate generation request and the CA cert to generate the server cert.
  4. Clean up – now that the cert has been created, we no longer need the request.

Install the server certificate in Apache

My server is running Ubuntu 12.04.4 so all paths and commands referenced here are for that operating system.

  1. Copy the CA cert to a permanent place. We’ll need to specify our CA cert in Apache since it is a self generated CA and not one that is included in operating systems everywhere.
  2. Copy the server cert and private key to permanent place.
  3. Activate the SSL module in Apache.
  4. Activate the SSL site in Apache and disable the HTTP site.
  5. Edit /etc/apache2/sites-enabled/000-default-ssl (the config file for the SSL enabled site) and add:
  6. Apply the config in Apache.

Photoshop cs2 activation key generator. Right now if you visit your https site, you will get an SSL error similar to “SSL peer was unable to negotiate an acceptable set of security parameters.” That is good – it means your site won’t accept a connection unless your browser is using a trusted client cert. We’ll generate one now.

Generate a client SSL certificate

  1. Generate a private key for the SSL client.
  2. Use the client’s private key to generate a cert request.
  3. Issue the client certificate using the cert request and the CA cert/key.
  4. Convert the client certificate and private key to pkcs#12 format for use by browsers.
  5. Clean up – remove the client private key, client cert and client request files as the pkcs12 has everything needed.

Looks like a pretty similar process to generating a server certificate, huh?

Lastly, import the .p12 file into your browser. On Windows you can double click the file to import into the operating system’s keystore that will be used by IE and Chrome. For Firefox, open the Options -> Advanced -> Certificates -> View Certificates -> Your Certificates and import the certificate.

Now, visit your website with the browser where you imported the client certificate. You’ll likely be prompted for which client certificate to use – select it. Then you’ll be authenticated and allowed in!

Table of Contents

  • Overview
  • Contact Information
  • Private Key Options
  • Certificate information
  • Shared Secrets
  • Create

Table of Contents

  • Overview
  • Contact Information
  • Private Key Options
  • Certificate information
  • Shared Secrets
  • Create

Generate an SSL Certificate and Signing Request

Valid for versions 82 through the latest version

Last modified: October 7, 2019

Overview

This feature allows you to simultaneously generate both a self-signed SSL certificate and a certificate signing request (CSR) for a domain. You can also use this interface to generate private keys, which are essential for self-signed certificates and purchased certificates. To purchase a certificate, submit the CSR to your chosen certificate authority (CA). They will provide you with a certificate, typically in a .zip file via email.

For more information, read our Purchase and Install an SSL Certificate documentation.

Contact Information

To receive the SSL certificate, private key, and CSR in an email, enter an email address in the Email Address text box.

Select the When complete, email me the certificate, key, and CSR. checkbox to receive a copy of the request that this interface generates.

Do not select this checkbox if your email service provider does not support secure mail via SSL/TLS.

Private Key Options

Select the desired key size from the Key Size menu. We recommend that you choose 2,048 bits.

Certificate information

To generate an SSL certificate and CSR, perform the following steps:

  1. In the Domains text box, enter the domain name of the website that the certificate will secure.
    • You can enter a wildcard-formatted domain name to install the same certificate on any number of subdomains if they share an IP address. For example, you can use a wildcard certificate for *.example.com to securely connect to the mail.example.com and www.example.com domains.
    • You can also enter multiple domains, with one domain per line.
    • For more information about how to share SSL certificates, read our Manage SSL Hosts documentation.
  2. In the City text box, enter the complete name of the city in which your servers are located.
  3. In the State text box, enter the complete name of the state in which your servers are located.
  4. In the Country text box, select the country of origin for the certificate.
  5. In the Company Name text box, enter your business’s complete name.
    Some certificate authorities may not accept special characters in the Company Name and Company Division text boxes. If your company name includes symbols other than a period or a comma, ask your CA to confirm whether you can use these characters.
  6. In the Company Division section, enter the name of the department or group within the company. This information is optional.
  7. In the Email text box, enter a secure contact email address that your CA can use to verify domain ownership.

Shared Secrets

Enter a passphrase in the Passphrase text box if your certificate authority requires one for verification purposes.

Create

After you enter the correct information, click Create. WHM will display the CSR with its SSL certificate and private key.

  • Copy and paste these items into the correct directories.
  • If you provided an email address, the system also sends the information to that email address.
  • You can view the keys, certificates, and CSRs that you create in WHM’s SSL Storage Manager interface (WHM >> Home >> SSL/TLS >> SSL Storage Manager).
The system saves this information in the following directories on your servers:
  • CSR — /var/cpanel/ssl/system/csrs
  • SSL certificates — /var/cpanel/ssl/system/certs
  • Private keys — /var/cpanel/ssl/system/keys

If you purchased an SSL certificate, provide the CSR to the company from which you purchased the SSL certificate.

If you used a self-signed certificate, navigate to the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to install the certificate.

Generate ssl certificate and key ubuntu

Create Ssl Key And Certificate

Additional Documentation