logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Using openssl.exe to make a self-signed wildcard certificate

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
Siddus



Joined: 07 May 2006
Posts: 4

PostPosted: Sun 02 Feb '14 18:53    Post subject: Using openssl.exe to make a self-signed wildcard certificate Reply with quote

Hi, Siddus here ...
I am new to ssl and would like to get some help with creating a self-signed wildcard key and certificate using the included openssl.exe file.
Any and all help in this matter is appreciated Smile
Encryption should be as strong as I can use ..
brgds
Siddus
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Mon 03 Feb '14 12:15    Post subject: Reply with quote

This is a small howto for configuring and creating self signed certificates with openssl under Windows.

Building a certificate for "localhost"

Open a command shell (cmd).
If you are using Windows 7, it's important to open it as admin or with admin-rights.

Then go to the installation-directory of the apache.
For example: "C:\Apache24"
(the openssl.exe is located at C:\Apache24\bin\)

First we have to generate a certificate signing request plus a private key.

(in the openssl.cnf file you can edit default_bits = 4096 and the certificate will be a strong one)

Code:
openssl req -config openssl.cnf -new -out localhost.csr -keyout localhost.pem


You will be asked for some information:

PEM pass phrase: - a long and secure (not a simple) password
Country Name: - a two letter code for your country (swiss = CH; netherlands = NL, …)
State or Province Name: - the province you live in (optional)
Locality Name: - the city you live in (optional)
Organization Name: - (optional)
Organizational Unit Name: - (optional)
Common Name: - The complete domain, for what you are creating the certificate. In this case "localhost"
The correct entry is important, because the here choosen name is verified later!!!

Email Address - (optional)
A challenge password - This attribut you can ignore, because we will sign our certificate by ourself.
An optional company name - (optional)

As next step we will remove the passphrase/password from the private key and save it in a new file.

Code:
openssl rsa -in localhost.pem -out localhost.key



At least we will generate our own certificate. Usually this is done by a CA, but in our case we are our own CA.

Code:
openssl x509 -sha512 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 3650


> If you want to generate one certificate for multiple servernames, this can be done with an additional "multidomain.cnf" file, in which the needed information has been placed before. This file can be included:

Code:
openssl x509 -sha512 -in localhost.csr -text -extfile multidomain.cnf -out localhost.crt -req -signkey localhost.key -days 3650



With the value -days 3650 the certificate is valid for 10 years. That should be enough.

To sum up we have built:

localhost.crs - A certificate signing request
localhost.pem - The private key
localhost.key - The private key without the passphrase
localhost.crt - The certificate


Configuration of the Apache with SSL-Support

Some things we have to do to get a "feathered headdress" for the apache. Wink
Therefore we open httpd.conf at the configuration directory of the apache and comment out the following lines:

Comment out the line with #LoadModule ssl_module modules/mod_ssl.so (delete the #)
Comment out the line with #Include conf/extra/httpd-ssl.conf (delete the #)

Then open httpd-ssl.conf and change the following:
Search for the line starting with SSLCertificateFile and change the path to the directory where your localhost.crt file is placed.
For example: SSLCertificateFile "C:/Apache24/conf/ssl/localhost.crt"

Then search for the line starting with SSLCertificateKeyFile and change the path to the directory where your localhost.key file is placed.
For example: SSLCertificateKeyFile "C:/Apache24/conf/ssl/localhost.key"

Don't forget to save the changes and to get the apache down from his horse and to put him back (Restart the service) and then https://localhost should work.


For the configuration of the cipher suites and the ssl level you can try:
Code:
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS



To the admins in the forum: Pls feel free to check if everything is written in the right order and to correct the post in case of errors.


Last edited by jraute on Fri 07 Nov '14 9:23; edited 23 times in total
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Mon 03 Feb '14 12:34    Post subject: Reply with quote

Also a easy way : http://www.akadia.com/services/ssh_test_certificate.html
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Mon 03 Feb '14 20:10    Post subject: Reply with quote

for best possible encryption, in Qmpeltaty's link, Step 1, change the 1024 to 4096
Back to top
Qmpeltaty



Joined: 06 Feb 2008
Posts: 182
Location: Poland

PostPosted: Tue 04 Feb '14 16:16    Post subject: Reply with quote

glsmith wrote:
for best possible encryption, in Qmpeltaty's link, Step 1, change the 1024 to 4096


Good point, however i use 2048 keys as i had heard that it might have impact for https page load speed on slow connections. Is that true ?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Tue 04 Feb '14 18:43    Post subject: Reply with quote

Certainly, the bigger the key the longer the CPU has to churn and although I am not positive, the larger the encrypted output possibly.
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Tue 04 Feb '14 21:57    Post subject: Reply with quote

The 4096-bit (for example) is about the RSA key pair and only used to encrypt and securely exchange the much smaller, randomly generated, symmetric key from the client to the server. After exchanging the symmetric key, the data-encryption is done with up to 256 bit and is surely no problem for a modern cpu.

For understanding: http://security.stackexchange.com/questions/19473/understanding-2048-bit-ssl-and-256-bit-encryption
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1