Scribd
Upload
31 views5 pages

Ubuntu SSL 2048-bit Certificate Setup

Ubuntu SSL 2048 Byte. Powered by www.elmuhibbin.com, Sarana berbagi ilmu melalui catatan kuliah, kerja dan Kajian Islam Ahlussunah Waljamaah.

Uploaded by

Irfan Irawan Cbn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views5 pages

Ubuntu SSL 2048-bit Certificate Setup

Ubuntu SSL 2048 Byte. Powered by www.elmuhibbin.com, Sarana berbagi ilmu melalui catatan kuliah, kerja dan Kajian Islam Ahlussunah Waljamaah.

Uploaded by

Irfan Irawan Cbn
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Ubuntu SSL 2048-bit Key

Creating an SSL Certificate


When SSL is used with the Apache via the mod_ssl module, it will create an encrypted RSA file
which has two components a private file which is kept secure on the server and a public file which is
placed in the Certificate file and is thus used by users when they connect to the server. Users will be
able to communicate securely then using the encryption that results in this kind of communication.
New standards are requiring a 2048-bit key instead of the older 1024-bit key.

An official SSL Certificate is required in order to satisfy browsers and customers on a web site.

A Certificate Signing Request (CSR) must be created that contains the public key of the web site
that will be installed in the certificate. This key identifies the owner of the web site and this is the
information that you see when you view a certificate:

Country – State – Company – Organizational Unit – Domain – Email of Administrator

The CSR must be sent to a Certifying Authority (CA) who will then convert the certificate into a real
Certificate which can be placed on the server with the signature of the signing authority. In this
process the signing authority verifies the company is who they say they are on the certificate.

Process of Setting Up Certificate


OpenSSL should be installed on the server as this will be used to create the keys. Create a RSA
private key for the server:

sudo openssl genrsa -des3 -out [Link] 2048


Now you must use 2048-bit encryption as the requirements are stronger now and will be completely
in place by 2011. Here is an example of the requirement from [Link], not that they are the
standard but certainly very popular.
Enter pass phrase for [Link]:

Verifying – Enter pass phrase for [Link]:

It is important to create a backup of both the key and the password, or you may have to do the
process all over again.

sudo openssl rsa -noout -text -in [Link]


Enter pass phrase for [Link]:

- – - cut – - -

Create a Certificate Signing Request with the server’s RSA private key
sudo openssl req -new -key [Link] -out [Link]
Enter pass phrase for [Link]:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:Montana

Locality Name (eg, city) [Newbury]:Trout Creek

Organization Name (eg, company) [My Company Ltd]:My Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) []:[Link]

Email Address []:mike@[Link]

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:Mu75Rdes43

An optional company name []:

sudo openssl x509 -req -days 365 -in [Link] -signkey [Link] -out [Link]
Send the request to a Certifying Authority.
Once the certificate is signed by the CA and returned to you the details may be viewed with this
command:

sudo openssl x509 -noout -text -in [Link]


At this point there should be 5 total files that you have for SSL.

[Link]

gd_bundle.crt

[Link] (this is replaced by the domain [Link] from the CA)

[Link]

[Link]

You will use three of those files, so copy them to the proper location.

SSLCertificateFile /etc/ssl/certs/[Link]

SSLCertificateKeyFile /etc/ssl/private/[Link]

SSLCACertificateFile /etc/apache2/[Link]/gd_bundle.crt

Now modify your domain name in the /etc/apache2/sites-enabled. Make sure your SSLEngine is set
to on.

<IfModule mod_ssl.c>
<VirtualHost [Link]:443>
ServerAdmin webmaster@[Link]
ServerName [Link]
ServerAlias [Link]
DocumentRoot /var/www/[Link]/
ErrorLog /var/log/apache2/[Link]
CustomLog /var/log/apache2/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/[Link]
SSLCertificateKeyFile /etc/ssl/private/[Link]
SSLCACertificateFile /etc/apache2/[Link]/gd_bundle.crt
</VirtualHost>
</IfModule>

Now restart apache and be ready to enter the SSL pass phrase you created. This pass phrase will
be needed whenever you restart the server

You might also like