Ubuntu SSL 2048-bit Key

by Mike on March 21, 2010

in Ubuntu Servers

Creating an SSL Certificate

When SSL is used with the Apache via the mod_ssl module, it will create an encrypted RSA file which has two components a private file which is kept secure on the server and a public file which is placed in the Certificate file and is thus used by users when they connect to the server. Users will be able to communicate securely then using the encryption that results in this kind of communication.  New standards are requiring a 2048-bit key instead of the older 1024-bit key.

An official SSL Certificate is required in order to satisfy browsers and customers on a web site.

A Certificate Signing Request (CSR) must be created that contains the public key of the web site that will be installed in the certificate. This key identifies the owner of the web site and this is the information that you see when you view a certificate:

Country – State – Company – Organizational Unit – Domain – Email of Administrator

The CSR must be sent to a Certifying Authority (CA) who will then convert the certificate into a real Certificate which can be placed on the server with the signature of the signing authority. In this process the signing authority verifies the company is who they say they are on the certificate.

Process of Setting Up Certificate

OpenSSL should be installed on the server as this will be used to create the keys. Create a RSA private key for the server:

sudo openssl genrsa -des3 -out server.key 2048

Now you must use 2048-bit encryption as the requirements are stronger now and will be completely in place by 2011. Here is an example of the requirement from GoDaddy.com, not that they are the standard but certainly very popular.

Enter pass phrase for server.key:

Verifying – Enter pass phrase for server.key:

It is important to create a backup of both the key and the password, or you may have to do the process all over again.

sudo openssl rsa -noout -text -in server.key

Enter pass phrase for server.key:

- – - cut – - -

Create a Certificate Signing Request with the server’s RSA private key

sudo openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:Montana

Locality Name (eg, city) [Newbury]:Trout Creek

Organization Name (eg, company) [My Company Ltd]:My Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) []:example.com

Email Address []:mike@example.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:Mu75Rdes43

An optional company name []:

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Send the request to a Certifying Authority.

Once the certificate is signed by the CA and returned to you the details may be viewed with this command:

sudo openssl x509 -noout -text -in server.crt

At this point there should be 5 total files that you have for SSL.

example.com.crt

gd_bundle.crt

server.crt (this is replaced by the domain name.crt from the CA)

server.csr

server.key

You will use three of those files, so copy them to the proper location.

SSLCertificateFile /etc/ssl/certs/example.com.crt

SSLCertificateKeyFile /etc/ssl/private/server.key

SSLCACertificateFile /etc/apache2/ssl.crt/gd_bundle.crt

Now modify your domain name in the /etc/apache2/sites-enabled. Make sure your SSLEngine is set to on.

<IfModule mod_ssl.c>
<VirtualHost 192.168.3.45:443>
ServerAdmin webmaster@example.com

ServerName example.com
ServerAlias www.example.com

DocumentRoot /var/www/example.com/

ErrorLog /var/log/apache2/error.log

CustomLog /var/log/apache2/ssl_access.log combined

SSLEngine on

SSLCertificateFile /etc/ssl/certs/example.com.crt

SSLCertificateKeyFile /etc/ssl/private/server.key

SSLCACertificateFile /etc/apache2/ssl.crt/gd_bundle.crt

</VirtualHost>

</IfModule>

Now restart apache and be ready to enter the SSL pass phrase you created. This pass phrase will be needed whenever you restart the server.

Previous post:

Next post: