Sign your own certificate with OpenSSL
Results 1 to 3 of 3

Thread: Sign your own certificate with OpenSSL

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Sign your own certificate with OpenSSL

    OK, since going to Verisign or Entrust is a pian in the butt to get a cert signed, I have created a **PAINLESS** way to sign a cert. This is an update to my old doc on this topic.

    OK, here is all you have to do:

    1) Unzip the contents of the ZIP file to a floppy
    2) Copy the files to any directory of your choice (on a *nix box).
    3) Follow the simple instructions and 3 minutes later you have a signed cert for Apache, IIS or any other service that requires a certificate.

    My doc includes instructions on generating a cert request from IIS for those of you who haven't done it before. I didn't have time for Apache...sorry .

    I have tested this on RedHat 7.3, 8 and 9 and Slackware 9.

    Who feels like paying for a cert when you can sign it yourself as your own CA?!

    Have fun and if ya need any help with the script, just PM me.

    --TheHorse13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    From OpenBSD FAQ, about creating and self-signing an SSL cert for apache:

    OpenBSD ships with an SSL-ready httpd and RSA libraries. For use with httpd(8), you must first have a certificate created. This will be kept in /etc/ssl/ with the corresponding key in /etc/ssl/private/. The steps shown here are taken in part from the ssl(8) man page. Refer to it for further information. This FAQ entry only outlines how to create an RSA certificate for web servers, not a DSA server certificate. To find out how to do so, please refer to the ssl(8) man page.

    To start off, you need to create your server key and certificate using OpenSSL:

    # openssl genrsa -out /etc/ssl/private/server.key 1024

    Or, if you wish the key to be encrypted with a passphrase that you will have to type in when starting servers

    # openssl genrsa -des3 -out /etc/ssl/private/server.key 1024

    The next step is to generate a Certificate Signing Request which is used to get a Certifying Authority (CA) to sign your certificate. To do this use the command:

    # openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr

    This server.csr file can then be given to Certifying Authority who will sign the key. One such CA is Thawte Certification which you can reach at http://www.thawte.com/. Thawte can currently sign RSA keys for you. A procedure is being worked out to allow for DSA keys.

    If you cannot afford this, or just want to sign the certificate yourself, you can use the following.

    # openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \
    -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

    With /etc/ssl/server.crt and /etc/ssl/private/server.key in place, you should be able to start httpd(8) with the -DSSL flag (see the section about rc(8) in this faq), enabling https transactions with your machine on port 443.
    Credit travels up, blame travels down -- The Boss

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This is pretty much the core of what I have scripted but what I meant was that I didn't have time to write how to get a cert request out of Apache like I did for IIS.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •