Generating a Key Pair and CSR for an Apache Server with modssl

This document provides the instructions generating a key pair and CSR for an Apache server with modssl. VeriSign recommends that you contact the Server vendor for additional information.
Apache+mod_ssl Key and CSR Generation

In order to allow your mod_ssl-secured Apache server work with our certificates we recommend you to use the latest versions of Apache, mod_ssl and OpenSSL. The distribution tarballs can be found at the following locations:

http://www.apache.org/dist/
http://www.modssl.org/source/
http://www.openssl.org/source/


Detailed installation instructions can be found in the INSTALL files in all three packages.

The utility (openssl) that you use to generate the RSA Private Key (Key) and the Certificate Signing Request (CSR) comes with Openssl and is usually installed under the directory SSL_BASE/bin where SSL_BASE is the path you specified for building Apache+mod_ssl either with the --with-openssl option or the SSL_BASE variable).

Key and CSR Generation Instructions

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you wan to request a certificate. When you want to access your website through https://www.virtualhost.com/ then the FQDN of your website is www.virtualhost.com.

Second, select five large and relatively random files from your hard drive (compressed log files are a good start). These will act as your random seed enhancers. We refer to them as file1:file2:...:file5 below. On platforms where /dev/random exists this device is a good choice, too.

Generate the Key with the following command: 
$ openssl genrsa -des3 -rand file1:file2:...:file5 -out www.virtualhost.com.key 1024
This command will generate 1024 bit RSA Private Key and stores it in the file www.virtualhost.com.key. It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above.

Now PLEASE backup your www.virtualhost.com.key file and make a note of the pass phrase. A good choice is to backup this information onto a diskette or other removable media.

Generate the CSR with the following command: 
$ openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr
This command will prompt you for the X.509 attributes of your certificate. Remember to give the name www.virtualhost.com when prompted for `Common Name (eg, YOUR name)'. Do not enter your personal name here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers).

Generate a temporary self-signed Certificate: 
$ openssl x509 -req -days 30 -in www.virtualhost.com.csr 
    -signkey www.virtualhost.com.key -out www.virtualhost.com.crt
This command will generate a certificate a self-signed certificate in www.virtualhost.com.crt which can be used as a temporary certificate while you are waiting for a real certificate from VeriSign.

You will now have a RSA Private Key in www.virtualhost.com.key and a Certificate Signing Request in www.virtualhost.com.csr. The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with mod_ssl. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this: 
-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----
The CSR in www.virtualhost.com.csr is what you now paste into the appropriate online enrollment form. Please take a note of the format above.

The file www.virtualhost.com.crt is your self-signed certificate. You can use it as a temporary certificate while you are waiting for a real certificate from VeriSign. You install it by updating the virtual host section of your Apache configuration for www.virtualhost.com as follows: 

    SSLCertificateFile    /path/to/your/www.virtualhost.com.crt
    SSLCertificateKeyFile /path/to/your/www.virtualhost.com.key
When you receive your real certificate, you will install it in place of your self-signed certificate at
/path/to/your/www.virtualhost.com.crt.

Detailed installation instructions can be found in the INSTALL files in all three mod_ssl packages.




Copyright © 2000, VeriSign, Inc. All Rights Reserved