HTTPS

Enable encrypted http trafic with our apache server

Generate a passphrase-less key and a certificate signing request (csr) in one go

If you already have a key, and only want a CSR for that key, see here

openssl req -utf8 -out foo.csr -newkey rsa:2048 -nodes -keyout foo.key

Get your key signed

send the .csr-file to your signing institution. They will return a certificate (certXXX.pem) and a chain (chainXXX.pem).

If you want to make sure the certificate you got from your signing instition matches the key you have, compare the output from

openssl rsa -noout -modulus -in foo.key | openssl md5

openssl x509 -noout -modulus -in cert-foo.pem | openssl md5

I once had accidentally overwritten my private key, so they did not match. I had to start over again, generating a new key and CSR, and get it signed. The error message from apache was

[error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Install the key and the certificate into apache

SSLCertificateKeyFile   /path/to/your.key
SSLCertificateFile      /path/to/your-cert.pem
SSLCertificateChainFile /path/to/your-chain.pem

Enable the ssl module

Enable the default-ssl site

Restart apache

Generate a new certificate for an existing key

openssl req -new -key /etc/ssl/pc5.key -out pc5.socio.gu.se.csr

comments powered by Disqus

Back to the index

Blog roll

R-bloggers, Debian Weekly
Valid XHTML 1.0 Strict [Valid RSS] Valid CSS! Emacs Muse Last modified: december 22, 2017