I got so much response on my post about the certificate problems with apache2 and Firefox that I decided to post a howto about creating valid certificates with openssl.

I am using an Ubuntu 6.10 server but there is no big difference to other distros except the directory structures.

First you have to install openssl – on Ubuntu I do this by running

sudo aptitude install openssl

This creates the directory /etc/ssl where the next actions will take place. The next step is to create the directories to store your certificates.

• /etc/ssl/certs – will hold your certificates
• /etc/ssl/crl – place for a certificate revocation list
• /etc/ssl/newcerts – temporary directory to store new certs
• /etc/ssl/private – stores CA certificates and key files

Run the command echo "01" > /etc/ssl/serial to create a file the holds the number of certificates signed by you. Additionally create the file index.txt (touch /etc/ssl/index.txt) that will hold the names of signed certificates.

Before you may start to produce certificates you should adapt the ssl configuration file /etc/ssl/openssl.cnf to fit your system.

In the block [ CA_default ] change the following:

• dir = /etc/ssl # has to match the path for your system
• certificate = $dir/private/CAcert.pem #put the CA certificate in the private folder
• private_key = $dir/private/CAkey.pem # put the CA key file in the private folder
• default_days = 365 # configures how long signed certs are valid

In the area [ req_distinguished_name ] you may change the default values for the fields of your certificates.

Now we are ready to create own own CA (certificate authority) – this will allow us to sign client and server certificates. If you want to have your certificates signed by a trusted root certificate authority like Verizone or Thawte you may skip this step. The following command creates a CA certificate and key file:

openssl req -new -x509 -keyout private/CAkey.pem -out private/CAcert.pem

You will be asked for a PEM pass phrase – enter a strong password and remember it, this password will be needed to sign other certificates with your CA. Enter the information about your CA (Country, State, …) – the most important field is the Common Name (CN) field.

With these CA files we are now able to sign certificate requests. We create one by running the command

openssl req -new -keyout newkey.pem -out newreq.pem

Again you will be asked for a PEM pass phrase – this password it will be needed to decrypt the key file. Enter the information for the certificate and make sure that the Common Name matches the name of the server it will be used for otherwise browsers will warn their users about it.

To sign this request with our CA we need merge the certificate and the key file into one file by with the command

cat newreq.pem newkey.pem > new.pem

After this step we finally sign the request:

openssl ca -policy policy_anything -out newcert.pem -infiles new.pem

You may specify any police from the ssl configuration file – depending on what restrictions you want to apply to the certificates. The PEM pass phrase you are asked for is the password you chose for your CA. As result we get the signed certificate in the file newcert.pem. Copy it to /etc/ssl/certs, give it a better name and do the same for the newkey.pem.

To install the new certificates in an apache2 web server you only have to configure it in the ssl host configuration:

SSLCertificateFile /etc/ssl/certs/servercert.pem
SSLCertificateKeyFile /etc/ssl/certs/serverkey.pem

This would be enough to use your new certificates for your web pages but every time you start the server you have to enter the password for the key file. To avoid this you may decode the key file with the following commands:

cp sitekey.key sitekey.key.org
openssl rsa -in sitekey.key.org -out sitekey.key

By entering the password for your key file you get a key file that is not password protected.