Thursday, September 24, 2009

How to generate Certificate Signing Request (CSR) file with Apache OpenSSL

When it comes to use SSL over apache, OpenSSL is there for us to do everything we want. XAMPP andWAMP both comes with OpenSSL compiled version of Apache, so it becomes quite handy to use it. But how to get SSL certificate for your website?For getting SSL certificate you need to ask your hosting company if you are running on shared server and don't have access to apache installation directory and config files. Most of the hosting companies will do this for you with some amount of fee. Fee/cost depends on the kind of certificate you are requesting and for the period of time. For example www.domain.com certificates will be quite cheaper then *.domain.com.

Now if you are running and managing your own webserver and you have to get certificate(s) for your company/client or your own website then first requirement is to generate "Certificate Signing Request" - CSR file, which you need to send to Certificate Authority to sign and give back to you as CRT file. This tutorial is not meant for Apache expert but for those who have not much experience SSL and Apache stuff.

Generation of CSR files with Apache on OpenSSL is quite simple and it is matter of typing few commands and we are done. You need to follow similar commands on OpenSSL prompt whether you are running Apache over Windows or Linux. Here is the routine which we need to follow to get our .CSR file ready.

If you have your Apache setup ready with OpenSSL then goto BIN directory under your Apache's installation directory. If you are on Windows machine then it could be under D:\Program Files\Apache\bin and if it is Linux you know better where to find it. Open Command Prompt and goto Apache's BIN directory and then type "openssl" over there. You will get OpenSSL prompt immediately. You may need not to goto Apache/Bin directory if that path is set in your system variables, you can just type openssl and you will get the prompt like below.
OpenSSL Prompt

Now, first of all we need to generate RSA Private key for our server. This key will be Triple-DES encrypted and PEM formatted. Type in following command to get encrypted private key on OpenSSL prompt.
OpenSSL> genrsa -des3 -out digitss.key 1024
You can keep it my_server.key or something like that. Once you type in above command it will ask for pass-phrase, please keep a note of that pass-phrase at some secure place. Also, take backup of your private key file at some secure place. Here is the screen-shot(s) visualizing above command over windows command-line.

Generate Priavat Key

If you will try to see contents of that file it would look something similar to what I have got here.
Priavate Key contents

To see something which is more readable type in following line and it will ask you pass-phrase which you previously specified.
OpenSSL> rsa -noout -text -in digitss.key
Enter pass phrase for digitss.key:
Private-Key: (1024 bit)
modulus:
00:c6:54:39:f5:c5:ae:5a:ef:f5:53:9c:13:c9:86:
27:c5:19:9f:25:ab:a5:96:5a:2e:f3:c0:5b:b0:c5:
02:a6:e0:53:a8:fa:34:e1:8f:55:b4:ee:57:e3:54:
65:70:6a:f0:0c:4d:b1:ed:9f:31:38:51:3c:e1:99:
fe:82:6c:0d:3d:a5:d3:6e:01:8c:89:cc:f1:97:c0:
95:0e:80:1a:c7:0a:ac:56:15:27:cd:08:32:e0:2c:
39:00:77:2f:d1:83:4f:2e:ff:ea:50:fb:26:6c:fd:
dd:ea:38:3b:ec:c0:f7:d3:c6:c2:23:20:12:40:bf:
1b:94:59:d8:d6:34:8d:7c:dd
publicExponent: 65537 (0x10001)
privateExponent:
23:5b:b8:c9:9c:68:ad:45:c2:93:19:6c:5d:ad:51:
31:ce:83:95:0f:b9:01:c9:2a:3d:c2:b9:96:16:49:
96:be:bf:ab:8c:90:08:f6:a8:ed:0c:e1:16:62:61:
83:5d:4d:56:a4:33:68:8d:cd:14:a1:47:1d:61:7b:
02:7d:89:0e:77:f9:0b:b9:89:02:a5:e1:0a:ba:66:
f2:25:dc:06:7e:74:b2:c7:6a:be:1a:e1:6f:fb:b7:
e2:2d:b5:f2:ca:a8:ec:27:9e:81:25:7e:8a:2d:6c:
94:6f:f5:ca:f3:4e:bc:3d:1e:e9:5d:74:47:59:8c:
f7:29:d8:8e:9c:d2:e0:01
prime1:
00:f4:85:25:2e:6c:02:79:02:58:c9:ec:29:a8:11:
33:9e:db:bf:84:0a:a2:87:f9:2b:82:f5:a0:04:59:
69:bb:f7:d3:6a:d8:ee:6d:74:0e:bb:62:01:8e:bf:
5f:85:d8:3d:de:e9:12:86:c9:20:de:7c:cf:4c:f2:
6a:1b:40:e2:01
prime2:
00:cf:a3:ea:a4:39:10:6c:4e:3c:58:b1:8e:f0:17:
33:ea:1f:9d:0c:be:0a:bd:3b:d5:80:76:70:e3:e4:
54:4f:1a:8f:8a:ab:00:d5:64:e6:8a:e7:24:12:2b:
3e:97:b9:24:96:b5:f4:31:eb:ae:6d:fa:83:b2:32:
92:8b:06:62:dd
exponent1:
00:b4:40:d2:bf:fd:ef:74:b5:3e:2e:dc:61:78:fc:
34:77:9f:16:f7:87:bf:78:ed:3e:1e:34:63:d9:d0:
f0:19:19:00:49:6b:d1:97:ee:4e:4d:e4:59:b1:99:
72:19:80:e7:5b:44:05:dc:46:b8:6c:4b:25:a6:5b:
ad:cc:99:70:01
exponent2:
00:b8:a7:83:41:ec:65:88:8b:c2:ea:f5:6c:b2:63:
33:98:9f:e8:a0:ae:59:0a:94:ad:78:02:dc:be:2e:
3e:34:12:e0:d8:66:de:e4:e7:48:86:fa:ab:7f:64:
e9:d3:30:19:33:d6:38:86:34:9b:f8:be:32:64:44:
c9:41:cd:ba:19
coefficient:
7c:9a:fa:80:72:8a:74:11:7b:f0:32:d0:e4:b3:44:
cd:d4:2c:4e:6b:37:38:68:9a:6e:cd:ae:f0:9f:54:
31:a5:f6:f7:c8:16:f3:1a:4a:5c:d3:6b:60:a1:7d:
f5:a2:6c:b2:ab:12:1d:1c:5c:dd:63:57:d5:c0:be:
a3:d1:37:67
OpenSSL>

Although it is hardly readable but makes more sense then previous screenshot.

Later on we need to specify path of this file in our httpd-ssl.conf when we get CRT file signed by Authority and we are setting up SSL over our webserver. It is required to have unsecured version of this file as with Windows Apache + OpenSSL setup it's not possible to specify "pass-phrase" (which we have given earlier) and it will give some weired error while setting up SSL and apache will refuse to start and generate errors in log for that.
So to get Unsecured version of this file type following command:
OpenSSL> rsa -in digitss.key -out unsecured.digitss.key
Enter pass phrase for digitss.key:
writing RSA key
OpenSSL>

Here, digitss.key is the file which we have previously generated and it is encrypted (3-DES), and -out file is the one which will be generated based on our request in non-encrypted form. During this process it will ask for pass-phrase as usual.

Now let's move to final step which is generation of CSR file using RSA private key. Following command will generate Certificate Signing Request file for us which will be PEM formatted. Key in following command:
OpenSSL> req -new -key digitss.key -out digitss.csr
If you are running over Windows then probably you will get error which I have faced during this. It would be something similar to following:
OpenSSL> req -new -key digitss.key -out digitss.csr
Unable to load config info from /usr/local/ssl/openssl.cnf

In that case we need to specify one more parameter in this command and we are done.
OpenSSL> req -new -key digitss.key -out digitss.csr -config openssl.cnf
Here, in this command we are making request for generation of CSR file with our private key generated previously and here we have specified configuration file as "openssl.cnf" as one more parameter. If this file doesn't exist in apache/bin directory then either move it there or specify full path. After keying in above command it will prompt you with few parameters/questions and that's it we are done.
Here is the list of question you need to answer as in you type above command to generate CSR file. Provided for your reference just as an example.
OpenSSL> req -new -key digitss.key -out digitss.csr -config openssl.cnf
Enter pass phrase for digitss.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Newyork
Locality Name (eg, city) []:Bellrose
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DiGiTSS Inc
Organizational Unit Name (eg, section) []:DiGiTSS
Common Name (eg, YOUR name) []:www.digitss.com
Email Address []:dharmavir@digitss.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:blogs@DiGiTSS
OpenSSL>

We are almost done, now we need to send this generated CSR file to a Certifying Authority (CA) for signing, they will send back us Real Certificate CRT file with the help of which we can setup SSL over our webserver running Apache and OpenSSL. We can either send it to Verisign, Thawte Consulting, CertiSign Certificadora Digital Ltd or GoDaddy.

Please note that I have used all commands on Linux server as well and they will work same as they they work on Windows.

For more advance options or more help you can refer to www.modssl.org's FAQ section.
Have your comments on this post.

source
http://blogs.digitss.com/apache/how-to-generate-certificate-signing-request-csr-file-with-apache-openssl/

No comments:

MS in Computer Science with paid training in USA company