Home » Blogs » sandip's blog

Generating Apache SSL Self-Signed Certificate

Submitted by sandip on Thu, 07/26/2007 - 21:59

# openssl req -x509 -newkey rsa:1024 -keyout /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.crt/server.crt -days 9999 -nodes
# chown root:root /etc/httpd/conf/ssl.key/server.key
# chmod 400 /etc/httpd/conf/ssl.key/server.key

Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter
»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Generating CSR from existing key

Submitted by sandip on Thu, 09/15/2011 - 22:50.

openssl req -new -key server.key -out server.csr

»

Generating 2048 bit CSR

Submitted by sandip on Thu, 05/05/2011 - 21:42.

openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr

»

debug ssl cert with openssl

Submitted by sandip on Wed, 01/06/2010 - 12:32.

Commands used:

openssl s_client -connect host.domain.tld:443
openssl s_client -showcerts -connect host.domain.tld:443
openssl s_client -state -nbio -connect host.domain.tld:443 2>&1

Reference:
http://www.cyberciti.biz/tips/debugging-ssl-communications-from-unix-shell-prompt.html
http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/

»

very certificate and chain installed fine online

Submitted by Anonymous on Thu, 12/05/2013 - 20:41.

digicert.com

»

Remove passphrase from ssl key

Submitted by sandip on Thu, 11/19/2009 - 17:41.

openssl rsa -in passphrase.key -out nopass.key

»

CSR info

Submitted by sandip on Fri, 05/23/2008 - 15:03.

openssl req -text -noout -in /path/to/server.csr

»

SSL certificate information

Submitted by sandip on Thu, 04/10/2008 - 09:28.
  1. Full text information:
    # openssl x509 -text -in server.crt
  2. Issuer of the certificate:
    # openssl x509 -noout -in server.crt -issuer
  3. Issued to:
    # openssl x509 -noout -in server.crt -subject
  4. Valid dates:
    # openssl x509 -noout -in server.crt -dates
  5. All of the above:
    # openssl x509 -noout -in server.crt -issuer -subject -dates
  6. Hash value:
    # openssl x509 -noout -in server.crt -hash
  7. MD5 fingerprint:
    # openssl x509 -noout -in server.crt -fingerprint
»

Renewing self signed SSL certificate

Submitted by wizap on Tue, 01/29/2008 - 00:29.

After generating a renewed self-signed ssl cert, I got the below message:

You have received an invalid certificate...
Your certificate contains the same serial number as another
certificate issued by the certificate authority. 
Please get a new certificate containing a unique serial number.

With some digging, found that a new serial number can be set as below.

# openssl req -x509 -new -key /etc/httpd/conf/ssl.key/server.key  \
-out /etc/httpd/conf/ssl.crt/server.crt -days 9999 -nodes -set_serial 99999

man x509 for more info.

»
Comment