How to use OpenSSL
OpenSSL is an open source library that can be used to implement Transport Layer Security.
Check the presence of openssl binary,
$ which openssl
OpenSSl command can be used to generate key,csr and self signed certificate.
1. Generating RSA key for a domain.
RSA private key can be generated for a domain by entering the following command.
# openssl genrsa -out domainname.key 1024
An option "-des3" can be included in this command if we want to impose password protection for the key. It is always treated as a bad idea to password protect a key.
2. How to generate a CSR from the key.
For this purpose issue the following command.
# openssl req -new -key domainname.key -out domainname.csr
Here we need to provide information like, Country name, State etc..
When prompted for a comman name please be sure that you give the fully qualified name of the domain for which you need to install a certificate.
The email address given will commanly be used to contact back from the CA.
Fields like, A challenge password : and An optional company name : are recommended to left blank.
The CSR generated can be checked by the command,
# openssl req -noout -text -in domainname.csr
If no problem found it can be forwarded to a CA for certificate generation.
# openssl x509 -req -days 30 -in domainname.csr -signkey domainname.key -out domainame.cert
The -days argument specifies how long the certificate will be valid for.
We can directly create certificate from a key itself,
# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
Here all the information like, Country name, State etc will be asked.
The RSA key and Certificate can be checked whether they match for each other. Save the key as key.txt and certificate as cert.txt. Now execute the following commands.
# openssl rsa -modulus -noout -in key.txt | openssl md5 > key.out
The first command checks the key and the second command checks the cert and stores results in the files, key.out and crt.out. If the contents of key.out and crt.out mathes RSA key and certificate match each other.
# diff key.out crt.out
5. View details from RSA key, CSR and Certificate.
The following commands can be used to view details from key,csr and cert.
6. Installing the Certificate on non control panel machines.
a) Copy the RSA key to /usr/share/ssl/private and certification to /usr/share/ssl/certs. b) Add the following line to httpd.conf