Every now and then I need a new SSL certificate for a server, and of course therefore need to produce the relevant certificate signing request (CSR) for processing. So this little note sums up the Ubuntu Server (12.04 LTS) process in a nutshell, i.e. so that I don’t keep having to head out to Google to look it up! (Most of this is taken pretty much directly from the Ubuntu Server Guide just by the way)
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. You have two options when it comes to keys in terms of either running them with a passphrase or without. With a passphrase is obviously more secure because it becomes harder to compromise the key, but without is a heck of a lot more convenient because you don’t need to enter a passphrase every time you start up a secure service – in other words exactly what your Apache, Postfix, Dovecot service daemons require!
To generate the keys for the Certificate Signing Request (CSR) run the following command:
openssl genrsa -des3 -out my.server.co.za.key 2048
During this process you will be asked to enter a passphrase containing at least 8 characters. Also, you’ll notice that I like to name my SSL-related files using the domain that I am securing, so in this example the end result would a SSL certificate issued for my.server.co.za. (Of course, this is completely personal preference when it comes to a file naming scheme).
Now that we have a secure key, the idea is to generate an insecure version of it, essentially a key without a passphrase. To do this, run:
openssl rsa -in my.server.co.za.key -out my.server.co.za.key.insecure
mv my.server.co.za.key my.server.co.za.key.secure
mv my.server.co.za.key.insecure my.server.co.za.key
As you can see, we shuffled the file names so that the insecure CSR is now the .key file, whilst we’ve save the secure version for safekeeping as .key.secure.
Finally, to generate the actual Certficiate Signing Request (CSR), we run the following command:
openssl req -new -key my.server.co.za.key -out my.server.co.za.csr
You’ll be asked to fill in a whole lot of information (after being challenged to provide the passphrase that you entered when creating the original key), and once the .csr file has been generated, you can now safely submit it either to a CA for processing, or for use to create your own self-signed certificate from it.
Useful hint, one of the questions asked during CSR generation will be “Common Name”. The input here MUST be the fully-qualified domain name (FQDN) for the website you will be using the certificate for (e.g., “www.myserver.co.za”). Do not include the “http://” or “https://” prefixes in your common name. Do NOT enter your personal name in this field. If you are requesting a wildcard certificate, add an asterisk (*) on the left side of the common name (e.g., “*.domainnamegoeshere.com”). This will secure all subdomains of the common name. Finally, if you enter www.myserver.co.za as the common name, then the certificate will secure both “www.myserver.co.za” and “myserver.co.za”.
Useful to know.
Related Link: Ubuntu Certificates and Security