Carnegie Mellon University Website Home Page
 

Requesting Certificates: Generating a Key Pair and CSR for Apache+modssl

Note: Information contained here was provided by Comodo. Similar information as well as installation instructions for other types of web servers (IIS, Weblogic, WebSphere, Java-based servers, etc.) can be found on the Comodo site.

In order to allow your mod_ssl-secured Apache server to work with certificates we recommend that you use the latest versions of Apache, mod_ssl and OpenSSL. The distribution tarballs can be found at the following locations:

Detailed installation instructions can be found in the INSTALL files in all three packages.

The utility (openssl) that you use to generate the RSA Private Key (key) and the Certificate Signing Request (CSR) comes with Openssl and is usually installed under the directory SSL_BASE/bin (where SSL_BASE is the path you specified for building Apache+mod_ssl either with the --with-openssl option or the SSL_BASE variable).

Key and CSR Generation Steps

  1. You need to know the Fully Qualified Domain Name (FQDN) of your machine. If you don't know what this is, it is most likely your machine's hostname in NetReg.

    Note: Examples of FQDNs are www.cmu.edu, webmaster.andrew.cmu.edu, netreg.net.cmu.edu, etc.
  2. Run the following command to generate a random source:

    dd if=/dev/urandom of=/tmp/random.data bs=2048k count=1

    This will generate 2 MB of random data in /tmp/random.data to seed the random number generator.
  3. Generate the key with the following command:

    openssl genrsa -des3 -rand /tmp/random.data -out FQDN.key 2048

    This command will generate a 2048 bit RSA Private Key and store it in the file FQDN.key, e.g. www.cmu.edu.key. It will ask you for a pass phrase. Use something secure and remember it. Your certificate will be useless without the key.

    Note: If you don't want to protect your key with a pass phrase you can omit the -des3 option above. This is particularly important if you want your machine to perform scheduled, unattended boots. You should only do this if you absolutely trust that server machine, and if you make sure the permissions are carefully set so only you can read that key.
  4. Be sure to BACKUP your FQDN.key file and make a note of the pass phrase. A good choice is to backup this information onto removable media.
  5. Generate the CSR with the following command:

    $ openssl req -new -key FQDN.key -out FQDN.csr

    This command will prompt you for the X.509 attributes of your certificate.

    Important! You must use the guidelines below or your CSR will be rejected:

    # CMU CA X.509 attributes to use for your CSR

    CN = <FQDN> # example: netreg.net.cmu.edu
    OU = <Department name>
    O = Carnegie Mellon University
    L = Pittsburgh
    S = Pennsylvania
    C = US

  6. You will now have an RSA Private Key in FQDN.key and a Certificate Signing Request in FQDN.csr. The former is your secret key, and must be installed as per the instructions that come with mod_ssl. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

    ----BEGIN CERTIFICATE REQUEST----- MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56 YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S 6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
    -----END CERTIFICATE REQUEST---

Note: This CSR will be used by the CA to master your certificate.

Submit Your CSR

  1. Compose an e-mail message to certificate-authority@andrew.cmu.edu. This message must contain:
    • Your name and affiliation with the university
    • The purpose of your web service
    • Your X.509 DN values
    • The type of web server (Apache, IIS, etc.)
    • Your CSR
    • If you are a student, the name and Andrew user ID of the sponsoring faculty member
  2. Copy and paste the CSR into your mail to certificate-authority@andrew.cmu.edu.

Certificate Installation with Apache 2

Follow these steps to install certificates with Apache 2:

  1. Once you have requested your certificates, you will receive an e-mail from certificate-authority@andrew.cmu.edu.  The email will contain the following:
  • link to download your certificate (typically named yourDomainName_cert.cer)
  • link to download the intermediate certificates (typically named yourDomainName_interm.cer)
  1. Move all of the certificate related files to their appropriate directories.  Typically, this would involve:
  • Moving the Private Key that was generated earlier to the ssl.key directory, which is typically found in /etc/ssl/. This must be a directory which only Apache can access.
  • Moving the yourDomainName_cert.cer and yourDomainName_interm.cer to the ssl.crt directory, which is typically found in the /etc/ssl/ directory.
  1. Edit the file that contains the SSL configuration with your favorite text editor.
    Note: The location of this file may vary between distributions. It will be referenced in the Apache global configuration file. Look for the lines which include:
  • Apache Configuration File:
    • Fedora/CentOS/RHEL: /etc/httpd/conf/httpd.conf
    • Debian and Debian based: /etc/apache2/apache2.conf
  • SSL Configuration File; some possible names:
    • httpd-ssl.conf
    • ssl.conf
    • In the /etc/apache2/sites-enabled/ directory.

      Note: If you need further assistance, please consult your distribution's documentation on Apache and SSL or navigate to the Apache Foundation's Apache2 Documentation.
  1. In the VirtualHost section of the file, add these directives if they do not exist.
    Note: It is best to comment out what is already there and add the following entries.
  • SSLEngine on
  • SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
  • SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName_cert.cer
  • SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName_interm.cer

    Note:
    Apache 1.x: Please use SSLCACertificateFile instead of SSLCertificateChainFile.
    Note:
    The above paths in the directives are used only as examples. Your server may have a different path and may need to be modified to suit your needs.
  1. Save your config file and restart the Apache service.

Last Updated: 1/4/12