I've already installed openssl, openssl-devel, httpd, and mod_ssl.
describes creating private keys, CSR, and signed key as follows:
# Generate private key
openssl genrsa -out ca.key 2048
# Generate CSR
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
I've been told I should do so as follows:
# generate an RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out server_key.pem
# generate a certificate signing request
openssl req -new -key server_key.pem -sha256 -days 365 -out server_csr.pem
# sign the certificate with the key itself. Skip this step if using a CA
openssl x509 -req -in server_csr.pem -signkey server_key.pem -sha256 -days 365 -out server_crt.pem
Thoughts on doing it one way over the other?
When creating the CSR for both approaches, there is a non-required option for a "challenge password". Should I always use one? I see the second approach requires me to create a "pass phrase" for the initial private key which is then used by the next two steps. What is different than the "pass phrase" described by my previous step?
The Centos document then goes on to describe copying them to a new location (and obviously deleting the original, right?).
My primary question
cp ca.crt /etc/pki/tls/certs
cp ca.key /etc/pki/tls/private/ca.key
cp ca.csr /etc/pki/tls/private/ca.csr
. The two approaches I used created the three files with different names. Are the names arbitrary and could I pick what ever I want? Is there any naming standard I should follow (like why use extension .pem on the second approach)? Do I move them to the same final directories for both approaches? Any thing else needs to be done differently between the two approaches?
describes moving them as shown below. I see they don't do anything with the csr. Which location is best?
cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key
A couple less important (but still would like to know) questions. Does the CSR (certificate signing request) have any future purpose other than creating the certificate? Is ca.key/server_key.pem the private key? Is ca.crt/server_crt.pem the public key?