If you have not encountered any complications running the above command you would find in your current directory a file “ca.key” with private key of certificate authority (CA) and ca.cer with its self-signed certificate.
Generate private SSL key for the server with the following command:
openssl genrsa -out server.key 2048
To generate Certificate Signing Request in PKCS#10 format you would use a following command as a common name you can specify its hostname – for example “localhost”.
New file server.key contains server's private key and file server.cer is a certificate itself. Certificate Signing Request file server.req is not needed any more so it can be removed.
rm server.req
Generete private key for SSL client with the following command:
openssl genrsa -out client.key 2048
Generate Certificate Signing Request for the server. As an example, the Common Name, I have used string: “Linux Networking Solutions”.
With your self-signed Certificate Authority, issue a client certificate with serial number 101 with the following command (on one line not wrapped as shown below):
Save client's private key and certificate in a PKCS#12 format. This certificate will be secured by a password and this password will be used in the following sections to import the certificate into the web browser's certificate manager:
File “client.p12” contains how to load ssl_module in centosa private key and the client's certificate, therefore files “client.key”, “client.cer” and “client.req” are no longer needed, so these files can be deleted with the following command:
If you are not using port 80 then put a “#” in front of the “listen 80”. If you don't then your pages will open up without the P12 cert on port 80. You can use port 80 with your default website location and the secure connection for another site or folder of the same site. (more about that later – for now # out Listen 80)
Create a file /etc/httpdopenssl genrsa -out client.key 2048/conf.d/ssl2.conf , the file and should look as the one below:
------------------- start of example------------------------
------------------- end of example------------------------
Back up the ssl.conf file and overwite with the following: (Remove the first two lines if you have already included them in the /etc/httpd/conf/httpd.conf file)
------------------- start of example------------------------
------------------- end of example------------------------
Copy the “client.p12” and “server.cer” files to the client PC and install with your browser. In Firefox go to “edit” → “preferences” → “advanced” → “Encryption” → “view Certificates” and install them under “your certificates” and “server”
restart httpd and set to start when the server starts
service httpd start
chkconfig httpd on
How to make only a part of your website secure with a P12 cert.
Create a directory call “secure” in the /var/www/ folder and add a “directory location” into your /etc/httpd/conf/httpd.conf file after the “Alias /icons” section as follows:
------------------- start of example------------------------
Alias /icons/ "/var/www/icons/"
<Directory "/var/www/icons">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/www/secure">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
------------------- end of example------------------------
Edit the ssl2.conf file and change the directory path the reflect the above directory path as per the following example:
------------------- start of example------------------------
DocumentRoot /var/www/secure/
------------------- end of example------------------------
