SSL with Centos 6.4 and Apache 2.6

NotionCommotion · 03-26-2014, 06:31 AM

I've already installed openssl, openssl-devel, httpd, and mod_ssl.

http://wiki.centos.org/HowTos/Https describes creating private keys, CSR, and signed key as follows:

Code:

# Generate private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

I've been told I should do so as follows:

Code:

# generate an RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out server_key.pem

# generate a certificate signing request
openssl req -new -key server_key.pem -sha256 -days 365 -out server_csr.pem

# sign the certificate with the key itself.  Skip this step if using a CA
openssl x509 -req -in server_csr.pem -signkey server_key.pem -sha256 -days 365 -out server_crt.pem

Thoughts on doing it one way over the other?

When creating the CSR for both approaches, there is a non-required option for a "challenge password". Should I always use one? I see the second approach requires me to create a "pass phrase" for the initial private key which is then used by the next two steps. What is different than the "pass phrase" described by my previous step?

The Centos document then goes on to describe copying them to a new location (and obviously deleting the original, right?).

Code:

cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr

My primary question. The two approaches I used created the three files with different names. Are the names arbitrary and could I pick what ever I want? Is there any naming standard I should follow (like why use extension .pem on the second approach)? Do I move them to the same final directories for both approaches? Any thing else needs to be done differently between the two approaches?

EDIT. http://www.akadia.com/services/ssh_t...rtificate.html describes moving them as shown below. I see they don't do anything with the csr. Which location is best?

Code:

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

A couple less important (but still would like to know) questions. Does the CSR (certificate signing request) have any future purpose other than creating the certificate? Is ca.key/server_key.pem the private key? Is ca.crt/server_crt.pem the public key?

Thanks

ericson007 · 03-27-2014, 03:08 AM

The csr is useful for when you rewuire a Certificate Authority to vrrify that key belongs to you. This will result in the green bar in the browser, thst is all the csr is for. You can actually create your own CA for that matter, but that is best left for another day.

Pem is a format that allows many certificates to be included in one file if you wish to use such a distribution method, but in terms vof functionality, they would do the same thing. I would think it is best to leave just the .key type files for apache. The passphrase can be anything, as with everything, if there is a pass phrase, it is a little more secure.

Where

You copy the keys does not matter. As long as the correct path is configured in qpache and the location is set up to have appropriate selinux contexts, they will work. The default path is just the recommendation.

In your example, the csr is also used to generate the crt so you personally signed thecertificate sign request and converted it to a functional certificate, hence yougot the crt.

The .key is your private key and crt is public key yes.