step 1: generate a Private Key
openssl genrsa -des3 -out es.key 1024
step 2: generate a Certificate Signing Request
openssl req -new -key es.key -out es.csr
step 3: send csr to certificate company, like McAfee to generate certificate file
or generate a Self-Signed Certificate by yourself
openssl req -new -key es.key -x509 -out es.crt
step 4: update ssl.conf
Store public key, private key in a folder
[root@aaa ssl2010]# ll
total 44
-rw-r--r-- 1 cdong users 1488 Sep 29 13:39 cnn.com.cer
-rw-r--r-- 1 root root 4203 Sep 29 16:34 es.crt
-rw-r--r-- 1 root root 781 Sep 28 17:26 es.csr
-rw-r--r-- 1 root root 887 Sep 28 17:24 es.key
SSLCertificateFile /usr/local/apache2/conf/ssl2010/cnn.com.cer
SSLCertificateKeyFile /usr/local/apache2/conf/ssl2010/es.key
SSLCertificateChainFile /usr/local/apache2/conf/ssl2010/es.crt
Please be noticed: SSLCertificateChainFile includes 3 certificates - McAfee, RSA and PEM
Tehn reboot apache
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
Verify public key and private key
1, public key
openssl x509 -noout -text -in es.crt -modulus
2, private key
openssl rsa -noout -text -in es.key -modulus
The "modulus" and "publicExponent" portions in the key and the certificate must match exactly.
No comments:
Post a Comment