I have been asked several times lately how to generate and deploy certificates for web servers. I am going to explain here how to set a certificate for an Apache web server.
Most users of Linux / LAMP servers and similar will find themselves needing to generate a certificate request to be submitted to a certificate authority. Because of the complexity of certificates, the various formats, and the fact that some users will want to submit a csr generated by a Unix platform to a Microsoft Certificate authority and then use the resulting certificate on the Unix appliance or server. This example will show how quickly and easily you can generate a certificate request file.
Start by issuing the following command on the console of the LAMP server:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
A couple of things to note
First, the rsa:2048 value. This can really be whatever you would like, but at the time of writing this was the standard key size. Second, for those that would like to use dsa that will require setting a pass-phrase that will consequently have to be input every time the server is started.
Another thing to note is the names of the files. The generic name [server] was used here, but I have found that it helps keep certificates straight if you just name them after the URL you are generating them for. For example if the website you are creating a certificate for is http://www.contoso.com, then the file names would be www.contoso.com.key and www.contoso.com.csr respectively.
Finally, the -nodes command removes the pass-phrase.
This command will generate 2 files a key file or private key and a csr file or certificate request. The private key should be kept very secure. If this file is compromised, the server identity can no longer be verified as accurate and using the private key others will be able to decrypt the data between your server and the clients.
Using the csr file, you can either open the file and copy and paste the contents into the certificate authority or you may be able to simply upload the file to the certificate authority. Once you have generated the certificate and you have it in the right format (normally pem), you can use it and the private key to finish setting up your website to use SSL.