For this week’s tutorial, I decided to set up a secure web server using Apache on my Windows system. This time, I will be covering generation of the certificate signing request (CSR) and a temporary self-signed certificate. If you would like to try this yourself, make sure that when you download Apache, OpenSSL is included.

1. Open a command prompt and change the current directory to Apache’s bin folder.
2. Generate your private key with the following command, replacing file1 with a random file:

openssl genrsa -rand file1 1024 > server.key

3. Generate a CSR using your key (you will have to point openssl to the config file for this step to work):

openssl req -new -key server.key –config ..\conf\openssl.cnf
> mike.gemsec.com.csr

4. You will be asked to provide some information that will be included in the request. Below, you will see how I responded (NOTE: The Common Name should be the name used to navigate to your website):

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Virginia
Locality Name (eg, city) []:Chantilly
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gemini
Security Solutions, Inc.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mike.gemsec.com
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:gemini
An optional company name []:.

5. You can now use the contents of the CSR file to make a request to a certification authority for your server certificate. If you do not receive your certificate right away, you can create a temporary self-signed one with the command:

openssl req -x509 -key server.key –in mike.gemsec.com.csr
> server.crt

6. Find the following line in httpd.conf in the conf folder and remove the “#” at the beginning of the line:

#LoadModule ssl_module modules/mod_ssl.so

7. Remove the “#” from this line as well:

#Include conf/extra/httpd-ssl.conf

8. Move server.key and server.crt to the conf folder.

9. Start/restart the Apache web server.

You should now be able to navigate to the secure version of your site. The web browser will warn you that the certificate is self-signed. That will go away once you get the CA-signed certificate.

That’s all for now. Next time, I will address protecting your key with a password and some other SSL concerns.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, June 2nd, 2009 at 10:48 pm by Mike Markiewicz and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.