Apache SSL CSR Generation and Installation Instructions

This document provides the instructions generating a key pair and CSR for an ApacheSSL server. VeriSign recommends that you contact the Server vendor for additional information.
Key and CSR Generation

ApacheSSL is a first-class, free, well-supported web server. You can learn more about it at https://www.apache-ssl.org. It is based on the ubiquitous Apache server, and uses the excellent SSLeay / OpenSSL libraries to add full-strength crypto, anywhere in the world. SSLeay was originally developed by Eric Young. The OpenSSL Group is now continuing that work, hence the renaming of the library to OpenSSL.

Versions
In order that your ApacheSSL server work with our certificates you must have compiled it against a recent version of OpenSSL. We recommend that you use the latest version of both ApacheSSL and OpenSSL.

The utility "openssl" that you use to generate the key and CSR comes with OpenSSL and is usually installed under /usr/local/ssl/bin. If you have installed them elsewhere you will need to modify these instructions appropriately. First, select five large and relatively random files from your hard drive (compressed log files are a good start). These will act as your random seed enhancers. We refer to them as file1:...:file5 below.

The following sequence of commands will generate a 1024 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do NOT overwrite existing keys and CSR's:

1. Go to your SSL directory 
cd /usr/local/ssl/private


2. Generate a private key 
openssl genrsa -des3 -rand file1:...:file5 1024 > www.xxx.com.key


Now PLEASE backup your www.xxx.com.key and make a note of the passphrase. Losing your key will cost you money!


3. Go to your certs directory 
cd /usr/local/ssl/certs


4. Generate a CSR from your key 
openssl req -new -key ../private/www.xxx.com.key > www.xxx.com.csr


5. Generate a self-signed certificate 
openssl req -x509 -key ../private/www.xxx.com.key -in www.xxx.com.csr > 
www.xxx.com.crt
NOTE: When asked for your Common Name, enter the exact domain name of your web server you want to secure (i.e. "www.mycompany.com" or "secure.mycompany.com"). The prompt on some standard OpenSSL distributions asks for "YOUR name", this is your Common Name.

Passphrases
If you want to avoid pass phrases, and you are convinced that your machine is secure, then leave out the "-des3" portion of the key generation command. If you do this, PLEASE ensure that the keyfile can only be read by root. Your server starts up as root, so it can read the key, then it switches to whatever user you're running it as (usually nobody). We recommend that you do a "chown root.root file.key; chmod 400 file.key" to make sure you never lose it to an arbitrary user on your machine.

Note that losing a password will prevent you from accessing your key, and you will need to get a new one. Please remember this password!

Submitting your CSR

The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with ApacheSSL. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this: 
-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----
Installing the certificate
The file www.virtualhost.com.crt is your self-signed certificate. You use it as a temporary certificate while you are waiting for a real certificate from VeriSign. You install it by updating your ApacheSSL config for that virtualhost as follows: 
SSLCertificateFile    /usr/local/ssl/certs/www.virtualhost.com.crt
   SSLCertificateKeyFile /usr/local/ssl/private/www.virtualhost.com.key
When you receive your certificate, you will install it in place of your self-signed cert at 
/usr/local/ssl/certs/www.virtualhost.com.crt
Setting up SSL
You configure your server using the httpd.conf file. Under your virtual host, enable SSL, on port 443, and make sure each virtual host has it's own IP (SSL does not support name based virtual hosts). You will have to change the links to your secure site to https.



Copyright © 2000, VeriSign, Inc. All Rights Reserved