Making SSL/TLS Certificates

The following article describes how to make certificates for Apache, Tomcat, Sendmail and Imap (imapd & ipopd). The certificates produced will probably be usable in other applications, but I know that the certificates are definitely acceptable to the named applications.

Apache+mod_ssl Key and Certificate Signing Request (CSR) Generation

Key and CSR Generation Instructions

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you want to request a certificate. When you want to access your website through https://www.virtualhost.com/ then the FQDN of your website is www.virtualhost.com

Generate the Key with the following command:
$ openssl genrsa -des3 -out www.virtualhost.com.key 1024
This command will generate 1024 bit RSA Private Key and stores it in the file www.virtualhost.com.key. It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above.

Now backup your www.virtualhost.com.key file and make a note of the pass phrase. A good choice is to backup this information onto a floppy or other removeable media.

Generate the CSR with the following command:
$ openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr
This command will prompt you for the X.509 attributes of your certificate. Remember to give the name www.virtualhost.com when prompted for `Common Name (eg, YOUR name)'. Do not enter your personal name here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers).

Generate a temporary self-signed Certificate

$ openssl x509 -req -days 30 -in www.virtualhost.com.csr \
    -signkey www.virtualhost.com.key -out www.virtualhost.com.crt
This command will generate a self-signed certificate in www.virtualhost.com.crt which can be used as a temporary certificate while you are waiting for a real certificate from Thawte, or whoever. If you plan to use this as the permanent certificate you should set days to, say, a year (365) or more.

You will now have a RSA Private Key in www.virtualhost.com.key and a Certificate Signing Request in www.virtualhost.com.csr. The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with mod_ssl. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:

  -----BEGIN CERTIFICATE REQUEST-----
  MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
  ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
  A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
  YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
  6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
  DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
  pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
  -----END CERTIFICATE REQUEST-----
    

The CSR in www.virtualhost.com.csr is what you now paste into the appropriate online enrolment form for the certificate authority.

Installation

The file www.virtualhost.com.crt is your self-signed certificate. You can use it as a temporary certificate while you are waiting for a real certificate, or permanently if you don't want a real certificate. You install it by updating the virtual host section of your Apache configuration for www.virtualhost.com as follows:
SSLCertificateFile /path/to/your/www.virtualhost.com.crt
SSLCertificateKeyFile /path/to/your/www.virtualhost.com.key

When you receive your real certificate, you will install it in place of your self-signed certificate at /path/to/your/www.virtualhost.com.crt.

Tomcat/Java Certificate

If you want to run a Java server such as Tomcat you will need to manage the certificates and keys using the keytool command which is part of the JRE. I prefer to give each application its own keystore, if that isn't the case (and you have write permissions on the default store) you can miss out the -keystore tomcat.keystore parameter from the following keytool commands.

First we need to produce our public/private keypair. We will use the RSA algorithm for compatibility and have a validity of about 10 years:
$ keytool -genkey -keystore tomcat.keystore -keyalg RSA -validity 3650 -alias tomcat

Enter keystore password: changeit
What is your first and last name?
  [Unknown]:
www.myserver.co.uk
What is the name of your organizational unit?
  [Unknown]:
WebAdmin
What is the name of your organization?
  [Unknown]:
Company Ltd
What is the name of your City or Locality?
  [Unknown]:
Manchester
What is the name of your State or Province?
  [Unknown]:
Grtr Manchester
What is the two-letter country code for this unit?
  [Unknown]:
GB
Is CN=www.myserver.co.uk, OU=WebAdmin, O=Company Ltd, L=Manchester, ST=Grtr Manchester, C=GB correct?
  [no]:
yes
Enter key password for <tomcat>
  (RETURN if same as keystore password):
changeit

Now we need to produce a Certificate Signing Request (CSR) to be sent to a CA such as Verisign, Thawte or Syntegra. We will use the RSA algorithm because it seems to be more widely accepted:
$ keytool -certreq -file tomcat.csr -alias tomcat -keystore tomcat.keystore -keyalg RSA
Enter keystore password: changeit

It is possible, but not necessary, to see the contents of the CSR by using the openssl program:

$ openssl req -in tomcat.csr -text
Using configuration from /etc/ssl/openssl.cnf Certificate Request: Data: Version: 0 (0x0) Subject: C=GB, ST=Grtr Manchester, L=Manchester, O=Company Ltd, OU=WebAdmin, CN=www.myserver.co.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f9:45:31:a9:c4:ab:b0:b5:75:fe:1b:4e:51:54: 01:f6:03:54:5e:85:b1:f3:a2:4f:8c:2c:19:13:07: 78:bb:84:77:51:ce:c4:75:06:b8:ea:b2:f3:45:fb: 69:dd:1f:2d:bb:1c:34:f4:be:72:81:53:6b:9f:d9: 12:c9:45:5d:6d:3e:f7:d0:6e:e1:17:10:36:d2:d3: f6:0d:9e:da:8d:71:f9:db:ff:c1:15:e8:c7:6a:0b: 99:b5:62:b7:a3:6b:29:a6:26:9c:c5:e8:4f:0b:37: fc:e4:4d:33:ce:88:2f:69:90:ee:dc:b9:84:72:9b: f5:fa:e6:8d:c4:08:20:4b:15 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption e8:8a:85:a1:21:9d:eb:fd:0d:82:5a:1e:0d:3c:8b:b5:b3:c2: 0a:19:25:97:fe:f9:1c:29:a4:1c:e4:d2:3b:63:bc:d0:e7:3c: 8b:60:23:6d:31:db:c3:b6:d3:a3:47:ff:9c:ea:91:71:0f:d9: 16:5f:ab:ce:3e:c1:70:87:f5:29:0c:46:44:10:7d:92:6d:ce: 65:78:d5:40:9b:bd:ca:52:6f:1d:21:16:7c:e6:62:f6:74:66: e6:84:ee:e1:67:b4:f4:41:7f:8e:01:9e:4b:bd:d4:ff:fa:d9: 60:10:7f:a8:a2:79:81:1a:d3:05:3b:e9:99:4f:b0:79:3e:51: bd:7a -----BEGIN CERTIFICATE REQUEST----- MIIBwzCCASwCAQAwgYIxCzAJBgNVBAYTAkdCMRgwFgYDVQQIEw9HcnRyIE1hbmNo ZXN0ZXIxEzARBgNVBAcTCk1hbmNoZXN0ZXIxFDASBgNVBAoTC0NvbXBhbnkgTHRk MREwDwYDVQQLEwhXZWJBZG1pbjEbMBkGA1UEAxMSd3d3Lm15c2VydmVyLmNvLnVr MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD5RTGpxKuwtXX+G05RVAH2A1Re hbHzok+MLBkTB3i7hHdRzsR1BrjqsvNF+2ndHy27HDT0vnKBU2uf2RLJRV1tPvfQ buEXEDbS0/YNntqNcfnb/8EV6MdqC5m1YrejaymmJpzF6E8LN/zkTTPOiC9pkO7c uYRym/X65o3ECCBLFQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA6IqFoSGd6/0N gloeDTyLtbPCChkll/75HCmkHOTSO2O80Oc8i2AjbTHbw7bTo0f/nOqRcQ/ZFl+r zj7BcIf1KQxGRBB9km3OZXjVQJu9ylJvHSEWfOZi9nRm5oTu4We09EF/jgGeS73U //rZYBB/qKJ5gRrTBTvpmU+weT5RvXo= -----END CERTIFICATE REQUEST-----

The next step is to send the CSR to the CA for them to sign. You will receive a signed certificate and possibly one or more "root" certificates. If you get root certificates they must be installed in the keystore:
$ keytool -keystore tomcat.keystore -import -file CAroot.der -alias CAroot
Enter keystore password: changeit
Owner: CN=RootCA, OU=CA, O=bigCA Issuer: CN=RootCA, OU=CA, O=bigCA Serial number: 4077f561 Valid from: Sat Apr 10 13:53:49 BST 2004 until: Wed Apr 10 14:23:49 BST 2024 Certificate fingerprints: MD5: 29:03:44:8C:EA:4F:85:FF:96:BB:E9:55:01:BC:AC:A1 SHA1: EC:68:2E:46:8D:5F:63:1F:10:96:CC:EE:86:11:95:A8:4D:B5:DB:5E Trust this certificate? [no]: yes
Certificate was added to keystore
$ keytool -keystore tomcat.keystore -import -file CAsub.der -alias CAsub
Enter keystore password: changeit
Certificate was added to keystore

Note: if you are using the Java default keystore the root certificates need to be put in the Java root keystore. The location will vary from one JRE to another, but the file will be called cacerts. Use the full path to the file as the value of the keystore parameter.

Finally the signed certificate must be imported into the keystore:
$ keytool -import -keystore tomcat.keystore -file myserver.co.uk.cert -trustcacerts -alias tomcat
Enter keystore password: changeit
Certificate reply was installed in keystore

POP3 certificate

The certificates used by imapd, ipopd and stunnel are essentially the same as those used for Apache. The only difference is that the key and cert are concatenated into a single file with a .pem extension. If you want a self-signed cert for your server you can follow the steps below to produce a .pem certificate for the server and a .cer certificate which can be easily imported into mail clients such as Outlook. Alternatively you can use the steps from the Apache instructions to get a real cert (don't passphrase protect the key) and then concatenate the key and cert as shown below:
# cd /etc/ssl/private/
# openssl req -newkey rsa:1024 -keyout ipop3d.pem -nodes -x509 \
    -days 3650 -out ipop3d.cer

Now you need to answer all of the questions. When finished the key is in the .pem file and the self-signed cert is in the .cer file. Finally we need to add the cert to the .pem file and protect it from viewing by anybody other than root:
# echo "" >> ipop3d.pem
# cat ipop3d.cer >> ipop3d.pem
# chmod 400 ipop3d.pem

Repeat the process for imapd.pem and stunnel.pem files if required.

Sendmail certificate

Make certificate authority:

# cd /usr/share/ssl
# mkdir demoCA
# cd demoCA
# ln -s . demoCA
# mkdir certs crl newcerts private
# echo "01" > serial
# touch index.txt
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config ../openssl.cnf

Make a new certificate:

# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config ../openssl.cnf

Certificate and private key in file newreq.pem. Sign new certificate with certificate authority:

# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
# openssl ca -config ../openssl.cnf -days 3650 -policy policy_anything -out newcert.pem -infiles tmp.pem
# rm -f tmp.pem

newcert.pem contains signed certificate, newreq.pem still contains unsigned certificate and private key. Relevant files need moving to sendmail directory:

# cd /etc/mail
# mkdir certs
Copy cacert.pem, newcert.pem and newreq.pem to /etc/mail, optionally renaming them
# chmod 600 cacert.pem newreq.pem newcert.pem

contact us
  • Name
  • Email
  • Message

Note: This information will only be used to reply to your feedback. We respect your privacy and will never abuse your email address or other personal information.

bottom corner