Open Source

Create passkeys and certificates for secure Web servers in Linux

Learn how to create a self-signed security certificate on a Linux server in order to get SSL running.

If you’ve installed a secure Web server in Linux, you’re probably staring at your Web browser as it asks you to accept a certificate from this machine. You don't remember generating a certificate, so you take a look at the details:
  • The certificate belongs to localhosts.localdomain.
  • The contact e-mail address is root@localhost.localdomain.
  • The organization is SomeOrganization.
  • The organization unit is SomeOrganizationUnit.
  • The address is SomeCity, SomeState.

This information is neither useful nor good business practice. If you’re running secure Web servers under a corporate (or even small business) heading, you’ll certainly want your certificates to be both specific and secure.

Of course, standard business practice involves using a CA (Certificate Authority)-signed certificate. These certificates are obtained by:
  • Creating an encryption key pair (private and public).
  • Creating a certificate request based on your public key.
  • Sending the certificate request, along with documentation proving your identity (and your company’s).
  • Installing the certificate (sent to you by the CA once it has verified you are who you say you are) into the proper directory.
  • Restarting your Apache Web server.

Note
Different companies require different information in order to verify your identity. For example, VeriSign requires your Dun & Bradstreet number, and Thawte requires proof of organizational name and right to a domain name.

Of course, you can generate your own keys and certificates within Linux. You won't have all the frills that VeriSign offers, but you’ll have a secure server certificate to offer to customers. So, in this Daily Feature, we’ll walk through the process of creating a key and a certificate. If you’re interested in getting the benefits of a commercial company (like VeriSign) to handle your certificate, you can still get the CA-approved certificate and simply replace the one you've generated.

Note
The prices range from $349.00 to $1,495 per year for a 128-byte encrypted certificate.

Generating a key
For this Daily Feature, we’ll use Red Hat 7.0—it’s the only Linux platform officially supported by VeriSign.

Before you create a certificate (or even send off for one), you have to generate an encryption key. This process is very simple. As root, cd to the /etc/httpd/conf directory and remove the test key and certificate (generated at installation) by using the commands:
rm ssl.key/server.key
rm ssl.crt/server.crt


With these files removed, you can now generate your key. In the same directory, run the command:
make genkey

which will eventually ask you to enter a passphrase. You’ll use this passphrase every time you restart your secure server, so it’s critical that you remember what you've typed (and type carefully).

Generating a certificate request
If you’ve decided to get your certificate from a CA, you’ll want to generate a certificate request. To do so, run the following command (as root and in the same directory you've been working in):
make certreq

You’ll be asked to supply the passphrase you created along with your key. Once you enter your passphrase, you’ll be required to enter some specific information, including:
  • Country name
  • State or province
  • City
  • Organization
  • Organization unit
  • Common name (either your full name or your server’s name)
  • E-mail address
  • Password
  • Company name (optional)

Be sure you provide correct information. Some of the above information is critical. For example, for the common name you’ll want to enter the valid DNS name of your server (no aliases).

Once you've generated the request, you must send it to the CA of your choice. You’ll eventually receive your key, which you should name server.crt and place in /etc/httpd/conf/ssl.crt/.

Generating a self-signed certificate
A much quicker and cheaper way of getting a certificate is to generate it yourself. To do this, follow the steps outlined in the section “Generating a key.” Once you've generated your key, you must run (as root and in the /etc/httpd/conf directory):
make testcert

You’ll be asked to enter the passphrase you created when you generated your key. Once you enter the proper passphrase, you’ll be asked to enter the same information as listed in the previous section (“Generating a certificate request”).

This new certificate will be automatically generated and placed in /etc/httpd/conf/ssl.crt for you.

Restarting Apache
Now that you've either received your certificate or generated your own, you should restart the Apache Web server in order for it to take effect. To do so, run (as root) the command:
/etc/rc.d/init.d/httpd restart

You’ll be prompted for your passphrase once again.

Testing your secure server
Now that you have your certificate in place, point your browser to https://servername (where servername is the name of the server), and you’ll be asked to accept or decline your new certificate. In the case of a VeriSign certificate, you won’t receive this message since VeriSign certificates are typically accepted automatically.

Conclusion
In a world where e-commerce and secure Web transactions can make or break a company, it is smart to do things the right way. Whether you're dealing with a certificate authority or generating your own, setting up a secure Web server in Linux is a simple and painless process.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Editor's Picks