{"id":1143,"date":"2009-09-16T21:09:46","date_gmt":"2009-09-17T02:09:46","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=1143"},"modified":"2011-05-16T19:53:58","modified_gmt":"2011-05-17T00:53:58","slug":"apache-2-ssl","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=1143","title":{"rendered":"Apache 2 SSL"},"content":{"rendered":"

Prepare Server Key<\/h2><\/span>\n

* See this post <\/a>for details on how to setup a Certificate Authority (CA) using OpenSSL.
\n* Sample session
\n– commands<\/p>\n

\r\n# Generate a new server key and cert signing request (CSR) in PEM format\r\nopenssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform PEM\r\n\r\n# View CSR content\r\nopenssl req -in apachecsr.pem -text -noout\r\n\r\n# Sign CSR\r\nopenssl ca -in apachecsr.pem\r\n\r\n# Remove passphrase\r\nopenssl rsa -in apachekey.pem -out apachekey_nopass.pem\r\n<\/pre>\n
– outputs<\/p>\n
\r\nC:\\OpenSSL\\exampleca>openssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform P\r\nEM\r\nLoading 'screen' into random state - done\r\nGenerating a 1024 bit RSA private key\r\n.............................++++++\r\n....++++++\r\nwriting new private key to 'apachekey.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nExample CA []:sp.example.org\r\nVirginia []:Virginia\r\nUS []:US\r\nca@exampleca.com []:\r\nRoot Certification Authority []:example.orgproblems making Certificate Request\r\n^C\r\nC:\\OpenSSL\\exampleca>openssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform P\r\nEM\r\nLoading 'screen' into random state - done\r\nGenerating a 1024 bit RSA private key\r\n.................................................................................++++++\r\n........++++++\r\nwriting new private key to 'apachekey.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nExample CA []:sp.example.org\r\nVirginia []:Virginia\r\nUS []:US\r\nca@exampleca.com []:ca@example.org\r\nRoot Certification Authority []:example.org\r\n\r\nC:\\OpenSSL\\exampleca>openssl req -in apachecsr.pem -text -noout\r\nCertificate Request:\r\n    Data:\r\n        Version: 0 (0x0)\r\n        Subject: CN=sp.example.org, ST=Virginia, C=US\/emailAddress=ca@example.org, O=example.org\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:c6:ce:2d:13:c8:f7:31:05:14:ad:34:ec:24:4c:\r\n                    c7:19:9f:07:00:d1:a0:35:b9:89:a5:7e:83:67:2f:\r\n                    dc:25:ac:67:ee:4c:5e:85:16:42:55:9a:cc:84:ef:\r\n                    55:8e:3b:10:a4:46:64:8d:5d:e7:ff:27:c9:52:fa:\r\n                    2e:fc:42:3e:b1:f8:26:5e:59:34:5a:bb:8d:2a:47:\r\n                    7b:c0:6b:ec:02:8b:7e:82:aa:a8:03:d0:ac:15:56:\r\n                    4c:6c:89:d0:b0:d9:b0:6e:39:94:ac:7c:ab:35:73:\r\n                    3c:81:60:55:2c:49:4e:43:a6:33:af:83:8e:a1:0f:\r\n                    a5:47:47:3b:31:08:14:12:b5\r\n                Exponent: 65537 (0x10001)\r\n        Attributes:\r\n            a0:00\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        77:bb:2f:b2:be:01:dd:cc:5b:c9:78:fb:f1:12:69:69:40:99:\r\n        3d:91:91:a0:f2:23:35:3e:67:c0:1c:5e:c1:63:25:f0:25:85:\r\n        8d:9c:47:39:d7:80:56:14:b8:9d:79:73:46:26:19:44:49:a2:\r\n        4c:c9:50:75:95:4b:dc:bc:8a:2c:66:f0:3f:a4:22:26:32:11:\r\n        63:2d:ec:9a:f4:97:fb:c2:c6:43:97:10:07:ed:1e:39:d0:22:\r\n        45:33:c3:1a:9b:b1:6c:d9:26:46:6d:f6:55:b1:b1:6a:54:27:\r\n        01:73:b4:d8:c2:e0:43:90:6e:ea:80:34:48:0e:85:4d:a2:ca:\r\n        ee:97\r\n\r\nC:\\OpenSSL\\exampleca>openssl ca -in apachecsr.pem\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncommonName            :PRINTABLE:'sp.example.org'\r\nstateOrProvinceName   :PRINTABLE:'Virginia'\r\ncountryName           :PRINTABLE:'US'\r\nemailAddress          :IA5STRING:'ca@example.org'\r\norganizationName      :PRINTABLE:'example.org'\r\nCertificate is to be certified until May 15 15:04:00 2012 GMT (365 days)\r\nSign the certificate? [y\/n]:y\r\n\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number: 2 (0x2)\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Root Certification Authority\r\n        Validity\r\n            Not Before: May 16 15:04:00 2011 GMT\r\n            Not After : May 15 15:04:00 2012 GMT\r\n        Subject: CN=sp.example.org, ST=Virginia, C=US\/emailAddress=ca@example.org, O=example.org\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:c6:ce:2d:13:c8:f7:31:05:14:ad:34:ec:24:4c:\r\n                    c7:19:9f:07:00:d1:a0:35:b9:89:a5:7e:83:67:2f:\r\n                    dc:25:ac:67:ee:4c:5e:85:16:42:55:9a:cc:84:ef:\r\n                    55:8e:3b:10:a4:46:64:8d:5d:e7:ff:27:c9:52:fa:\r\n                    2e:fc:42:3e:b1:f8:26:5e:59:34:5a:bb:8d:2a:47:\r\n                    7b:c0:6b:ec:02:8b:7e:82:aa:a8:03:d0:ac:15:56:\r\n                    4c:6c:89:d0:b0:d9:b0:6e:39:94:ac:7c:ab:35:73:\r\n                    3c:81:60:55:2c:49:4e:43:a6:33:af:83:8e:a1:0f:\r\n                    a5:47:47:3b:31:08:14:12:b5\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Basic Constraints:\r\n                CA:FALSE\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        97:13:b4:17:f1:d6:e5:29:8e:70:60:f8:b2:93:97:7e:ad:f6:\r\n        47:f4:16:07:d8:0c:48:62:55:d3:91:f9:ac:61:83:ec:c9:04:\r\n        a9:a1:56:09:5d:77:1a:e0:dc:1e:c1:d6:23:4c:84:e6:ac:2f:\r\n        53:99:7c:dc:c8:9f:22:8b:89:fb:ec:ed:6a:67:20:b2:8d:2d:\r\n        63:c1:bd:88:23:28:84:22:16:95:8a:78:a4:47:52:ac:34:0f:\r\n        0f:51:68:2d:4e:7a:fa:ab:52:31:ac:df:c0:fd:c6:c0:2f:cf:\r\n        9a:e3:5d:92:4c:7c:a2:14:28:aa:b5:b0:cb:7f:e1:4a:30:ad:\r\n        1a:2e:56:c9:eb:1e:b9:fb:be:39:16:4f:14:46:77:24:fe:74:\r\n        89:b2:b8:bc:38:71:e3:da:90:64:26:4f:49:fe:87:10:45:f8:\r\n        cb:e9:91:c5:6b:9d:ff:50:05:d7:d6:81:3c:6b:f1:07:e6:3c:\r\n        02:13:7e:81:0f:22:04:b6:d0:58:02:70:d0:44:c3:f0:f1:c9:\r\n        27:ce:0f:4c:c8:ec:f3:b4:02:a0:55:17:a3:33:64:2b:ba:56:\r\n        b7:da:23:6e:73:ab:fd:d5:9f:6e:68:e5:cd:da:fb:76:e7:6c:\r\n        59:ef:87:c4:89:b1:9e:ab:c5:31:25:70:b1:b8:1d:d0:3b:ec:\r\n        90:e5:59:c0\r\n-----BEGIN CERTIFICATE-----\r\nMIIC7zCCAdegAwIBAgIBAjANBgkqhkiG9w0BAQQFADB9MRMwEQYDVQQDEwpFeGFt\r\ncGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG\r\n9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xJTAjBgNVBAoTHFJvb3QgQ2VydGlmaWNh\r\ndGlvbiBBdXRob3JpdHkwHhcNMTEwNTE2MTUwNDAwWhcNMTIwNTE1MTUwNDAwWjBu\r\nMRcwFQYDVQQDEw5zcC5leGFtcGxlLm9yZzERMA8GA1UECBMIVmlyZ2luaWExCzAJ\r\nBgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzEUMBIGA1UE\r\nChMLZXhhbXBsZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMbOLRPI\r\n9zEFFK007CRMxxmfBwDRoDW5iaV+g2cv3CWsZ+5MXoUWQlWazITvVY47EKRGZI1d\r\n5\/8nyVL6LvxCPrH4Jl5ZNFq7jSpHe8Br7AKLfoKqqAPQrBVWTGyJ0LDZsG45lKx8\r\nqzVzPIFgVSxJTkOmM6+DjqEPpUdHOzEIFBK1AgMBAAGjDTALMAkGA1UdEwQCMAAw\r\nDQYJKoZIhvcNAQEEBQADggEBAJcTtBfx1uUpjnBg+LKTl36t9kf0FgfYDEhiVdOR\r\n+axhg+zJBKmhVglddxrg3B7B1iNMhOasL1OZfNzInyKLifvs7WpnILKNLWPBvYgj\r\nKIQiFpWKeKRHUqw0Dw9RaC1OevqrUjGs38D9xsAvz5rjXZJMfKIUKKq1sMt\/4Uow\r\nrRouVsnrHrn7vjkWTxRGdyT+dImyuLw4cePakGQmT0n+hxBF+MvpkcVrnf9QBdfW\r\ngTxr8QfmPAITfoEPIgS20FgCcNBEw\/DxySfOD0zI7PO0AqBVF6MzZCu6VrfaI25z\r\nq\/3Vn25o5c3a+3bnbFnvh8SJsZ6rxTElcLG4HdA77JDlWcA=\r\n-----END CERTIFICATE-----\r\nData Base Updated\r\n\r\nC:\\OpenSSL\\exampleca>openssl rsa -in apachekey.pem -out apachekey_nopass.pem\r\nEnter pass phrase for apachekey.pem:\r\nwriting RSA key\r\n<\/pre>\n
– files generated<\/p>\n
\r\n# server key with pass phrase\r\nC:\\OpenSSL\\exampleca\\apachekey.pem\r\n\r\n# server key without pass phrase\r\nC:\\OpenSSL\\exampleca\\apachekey_nopass.pem\r\n\r\n# signing request\r\nC:\\OpenSSL\\exampleca\\apachecsr.pem\r\n\r\n# pub cert\r\nC:\\OpenSSL\\exampleca\\certs\\02.pem\r\n<\/pre>\n
Setup Apache 2 SSL<\/h2><\/span>\n
httpd.conf<\/h3><\/span>\n
\r\nLoadModule ssl_module modules\/mod_ssl.so\r\n\r\n# Secure (SSL\/TLS) connections\r\n#Include conf\/extra\/httpd-ssl.conf\r\n#\r\n# Note: The following must must be present to support\r\n#       starting without SSL on platforms with no \/dev\/random equivalent\r\n#       but a statically compiled-in mod_ssl.\r\n#\r\n\r\n  SSLRandomSeed startup builtin\r\n  SSLRandomSeed connect builtin\r\n<\/IfModule>\r\n\r\nListen 443 \r\n\r\n  ServerName sp.example.org\r\n  SSLEngine on\r\n  SSLCertificateFile C:\/OpenSSL\/exampleca\/certs\/02.pem\r\n  SSLCertificateKeyFile C:\/OpenSSL\/exampleca\/apachekey_nopass.pem\r\n<\/VirtualHost>\r\n<\/pre>\n
[error] Init: SSLPassPhraseDialog builtin is not supported on Win32<\/h2><\/span>\n
Cause<\/h3><\/span>\n
* Server private key is protected by passphrase.<\/p>\n
Resolution<\/h3><\/span>\n
* Remove passphrase from server private key.<\/p>\n
\r\nopenssl rsa -in server_key_with_passphrase.pem -out server_key_without_passphrase.pem\r\n<\/pre>\n
* Comments out SSLPassPhraseDialog <\/strong>directive if it is found in httpd.conf.<\/p>\n
References<\/h2><\/span>\n
* http:\/\/slacksite.com\/apache\/certificate.php<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Prepare Server Key * See this post for details on how to setup a Certificate Authority (CA) using OpenSSL. * Sample session – commands # Generate a new server key and cert signing request (CSR) in PEM format openssl req … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21,55],"tags":[],"class_list":["post-1143","post","type-post","status-publish","format-standard","hentry","category-apache","category-ssl"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-ir","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1143"}],"version-history":[{"count":6,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1143\/revisions"}],"predecessor-version":[{"id":2332,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1143\/revisions\/2332"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}