You must be root to generate a key.
First, cd to the /etc/httpd/conf directory. Remove the fake key and certificate that were generated during the installation with the following commands:
rm ssl.key/server.key
rm ssl.crt/server.crt
Next, you need to create your own random key. Change to the /usr/share/ssl/certs directory, and type in the following command:
make genkey
Your system will display a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
You now need to type in a passphrase. For best security, it should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your passphrase is case sensitive.
Note
You will need to remember and enter this passphrase every time you start your secure server, so do not forget it.
Re-type the passphrase to verify that it is correct. Once you have typed it in correctly, /etc/httpd/conf/ssl.key/server.key, containing your key, is created.
Note that if you do not want to type in a passphrase every time you start your secure server, you will need to use the following two commands instead of make genkey to create the key.
Use the following command to create your key:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
Then use the following command to make sure the permissions are set correctly for the file:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
After you use the above commands to create your key, you will not need to use a passphrase to start your secure server.
Caution Caution
Disabling the passphrase feature for your secure server is a security risk. It is NOT recommend that you disable the passphrase feature for secure server.
The problems associated with not using a passphrase are directly related to the security maintained on the host machine. For example, if an unscrupulous individual compromises the regular UNIX security on the host machine, that person could obtain your private key (the contents of your server.key file). The key could be used to serve Web pages that appear to be from your secure server.
If UNIX security practices are rigorously maintained on the host computer (all operating system patches and updates are installed as soon as they are available, no unnecessary or risky services are operating, and so on), secure server's passphrase may seem unnecessary. However, since your secure server should not need to be re-booted very often, the extra security provided by entering a passphrase is a worthwhile effort in most cases.
The server.key file should be owned by the root user on your system and should not be accessible to any other user. Make a backup copy of this file. and keep the backup copy in a safe, secure place. You need the backup copy because if you ever lose the server.key file after using it to create your certificate request, your certificate will no longer work and the CA will not be able to help you. Your only option would be to request (and pay for) a new certificate.
If you are going to purchase a certificate from a CA, continue to Section 20.7 Generating a Certificate Request to Send to a CA. If you are generating your own self-signed certificate, continue to Section 20.8 Creating a Self-Signed Certificate.
No comments:
Post a Comment