Wednesday, January 12, 2011

Generate self signed SSL certificate for apache

I want to create self signed certificate for the website. The old certificate expired few days ago. There are more than one NameVirtualHosts hosted on systems. The commands I am using to create certificate are taken from one tutorial website and are:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr 
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

After this in ssl.conf file I have specified under VirtualHost section along with old settings done by other admin

SSLEngine on
SSLCertificateFile <full_path>/server.crt
SSLCertificateKeyFile <full_path>/server.key

On starting the server I am getting following messages in log file and server fails to start.

In error_log file messages are

 [Mon Jun 01 23:52:46 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

In ssl_error_log file messages are

 [Mon Jun 01 23:52:46 2009] [error] Init: Private key not found
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

I would really appreciate if some one can explain how to solve this. I have tried a few other tutorial website on self signed SSL certificates but none of the steps they mention are working.

From serverfault Saurabh Barjatiya

  • Use this one liner to generate the certificate and key in one file

    openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem

    Then the only configuration you'll need is 

    SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
    Rajat : you mean add above line sslengine on and sslcertificatefile /etc/ssh
    hayalci : this is for apache configuration, not ssh.
    From hayalci

  • This may seem a bit trivial, but check the permission on your .key file

    Burkhard : +1 Sometimes the trivial things are the least thought of.
    From Jeff Hengesbach

  • You can use openssl req -newkey rsa:1024 -keyout privkey.pem to save off the SSL key as it's generated, in case the key generation isn't quite right.

    From davenpcj
Posted by Mu Cat at 9:47 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)