LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-26-2014, 07:31 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Rep: Reputation: Disabled
SSL with Centos 6.4 and Apache 2.6


I've already installed openssl, openssl-devel, httpd, and mod_ssl.

http://wiki.centos.org/HowTos/Https describes creating private keys, CSR, and signed key as follows:
Code:
# Generate private key 
openssl genrsa -out ca.key 2048 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
I've been told I should do so as follows:
Code:
# generate an RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out server_key.pem

# generate a certificate signing request
openssl req -new -key server_key.pem -sha256 -days 365 -out server_csr.pem

# sign the certificate with the key itself.  Skip this step if using a CA
openssl x509 -req -in server_csr.pem -signkey server_key.pem -sha256 -days 365 -out server_crt.pem
Thoughts on doing it one way over the other?

When creating the CSR for both approaches, there is a non-required option for a "challenge password". Should I always use one? I see the second approach requires me to create a "pass phrase" for the initial private key which is then used by the next two steps. What is different than the "pass phrase" described by my previous step?

The Centos document then goes on to describe copying them to a new location (and obviously deleting the original, right?).

Code:
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
My primary question. The two approaches I used created the three files with different names. Are the names arbitrary and could I pick what ever I want? Is there any naming standard I should follow (like why use extension .pem on the second approach)? Do I move them to the same final directories for both approaches? Any thing else needs to be done differently between the two approaches?

EDIT. http://www.akadia.com/services/ssh_t...rtificate.html describes moving them as shown below. I see they don't do anything with the csr. Which location is best?
Code:
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
A couple less important (but still would like to know) questions. Does the CSR (certificate signing request) have any future purpose other than creating the certificate? Is ca.key/server_key.pem the private key? Is ca.crt/server_crt.pem the public key?

Thanks

Last edited by NotionCommotion; 03-26-2014 at 08:03 AM. Reason: Added part about akadia
 
Old 03-27-2014, 04:08 AM   #2
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 7.1
Posts: 656

Rep: Reputation: 121Reputation: 121
The csr is useful for when you rewuire a Certificate Authority to vrrify that key belongs to you. This will result in the green bar in the browser, thst is all the csr is for. You can actually create your own CA for that matter, but that is best left for another day.

Pem is a format that allows many certificates to be included in one file if you wish to use such a distribution method, but in terms vof functionality, they would do the same thing. I would think it is best to leave just the .key type files for apache. The passphrase can be anything, as with everything, if there is a pass phrase, it is a little more secure.

Where

You copy the keys does not matter. As long as the correct path is configured in qpache and the location is set up to have appropriate selinux contexts, they will work. The default path is just the recommendation.

In your example, the csr is also used to generate the crt so you personally signed thecertificate sign request and converted it to a functional certificate, hence yougot the crt.

The .key is your private key and crt is public key yes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Installing ssl certificate in CentOS 6.3 Apache & Drupal rhbegin Linux - Desktop 4 07-13-2016 03:43 PM
Set up a SSL secured Centos/Apache webserver NotionCommotion Linux - Newbie 6 03-19-2014 01:04 PM
[SOLVED] 'invalid method in request' - Apache & SSL on Centos scottmusician Linux - Server 6 09-15-2011 12:38 AM
[Centos] Apache web server - SSL for specific folder Black187 Linux - Server 2 04-20-2011 11:38 PM
SSL Apache client certificate - CentOS 5 - How to install ? dlugasx Linux - Server 1 09-23-2010 11:11 AM


All times are GMT -5. The time now is 02:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration