Generate self signed SSL certificate for apache

Question

I want to create self signed certificate for the website. The old certificate expired few days ago. There are more than one NameVirtualHosts hosted on systems. The commands I am using to create certificate are taken from one tutorial website and are:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr 
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

After this in ssl.conf file I have specified under VirtualHost section along with old settings done by other admin

SSLEngine on
SSLCertificateFile <full_path>/server.crt
SSLCertificateKeyFile <full_path>/server.key

On starting the server I am getting following messages in log file and server fails to start.

In error_log file messages are

 [Mon Jun 01 23:52:46 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)

In ssl_error_log file messages are

 [Mon Jun 01 23:52:46 2009] [error] Init: Private key not found
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
 [Mon Jun 01 23:52:46 2009] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

I would really appreciate if some one can explain how to solve this. I have tried a few other tutorial website on self signed SSL certificates but none of the steps they mention are working.

score 21 · Accepted Answer · answered Jun 01 '09 at 19:11

21

Use this one liner to generate the certificate and key in one file

openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem

Then the only configuration you'll need is

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

answered Jun 01 '09 at 19:11

hayalci

3,631
3
27
37

you mean add above line sslengine on and sslcertificatefile /etc/ssh – Rajat Jul 14 '10 at 17:55
this is for apache configuration, not ssh. – hayalci Jul 27 '10 at 10:39
1

That command will leave the private key in the clear on the file system, in contrast to the OP's original command. Omitting the `-nodes` option encrypt the key using Triple-DES. (The key's passphrase will of course need to be provided whenever the server is started.) The OpenSSL `req` command doesn't support generating more strongly-encrypted keys, but can use previously generated strongly-encrypted keys. – Calrion Jan 29 '14 at 00:48

score 4 · Answer 2 · answered Jun 01 '09 at 19:17

4

This may seem a bit trivial, but check the permission on your .key file

answered Jun 01 '09 at 19:17

Jeff Hengesbach

1,762
10
10

+1 Sometimes the trivial things are the least thought of. – Burkhard Jun 01 '09 at 19:48

score 0 · Answer 3 · answered Jun 01 '09 at 19:51

0

You can use openssl req -newkey rsa:1024 -keyout privkey.pem to save off the SSL key as it's generated, in case the key generation isn't quite right.

answered Jun 01 '09 at 19:51

davenpcj

641
5
8

Generate self signed SSL certificate for apache

3 Answers3

Linked

Related