First, cd to the /etc/httpd/conf
directory. Remove the fake key and certificate that were generated
during the installation with the following commands:
rm ssl.key/server.key
rm ssl.crt/server.crt |
Next, you need to create your own random key. Type in the following
command:
Your system will display a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter PEM pass phrase: |
You now need to type in a password. For best security, your password
should contain at least eight characters, include numbers and/or
punctuation, and not be a word in a dictionary. Also, remember that your
password is case sensitive.
 | Note |
|---|
| | You will need to remember and enter this password every time you
start your secure Web server, so do not forget it.
|
You will be asked to re-type the password, to verify that it is
correct. Once you have typed it in correctly, a file called
server.key, containing your key, will be created.
Note that if you do not want to type in a password every time you start
your secure Web server, you will need to use the following two commands instead of
make genkey to create the key. Both of these
commands should be typed in entirely on one line.
Use the following command:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key |
to create your key. Then use this command:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key |
to make sure that the permissions are set correctly on your key.
After you use the above commands to create your key, you will not need
to use a password to start your secure Web server.
 | Caution |
|---|
| | Disabling the password feature for your secure Web server is a
security risk. We DO NOT recommend that you disable the password
feature for your secure Web server.
|
The problems associated with not using a password are directly related
to the security maintained on the host machine. For example, if an
unscrupulous individual compromises the regular UNIX security on the
host machine, that person could obtain your private key (the contents of
your server.key file). The key could be used to
serve Web pages that will appear to be from your Web server.
If UNIX security practices are rigorously maintained on the host
computer (all operating system patches and updates are installed as soon
as they are available, no unnecessary or risky services are operating,
and so on), the secure Web server's password may seem unnecessary. However, since
your secure Web server should not need to be re-booted very often, the extra
security provided by entering a password is a worthwhile effort in most
cases.
The server.key file should be owned by the root
user on your system and should not be accessible to any other user. Make
a backup copy of this file and keep the backup copy in a safe, secure
place. You need the backup copy because if you ever lose the
server.key file after using it to create your
certificate request, your certificate will no longer work and the CA
will not be able to help you. Your only option would be to request (and
pay for) a new certificate.
If you are going to purchase a certificate from a CA, continue to the Section called Generating a Certificate Request to Send to a CA. If you are generating your own
self-signed certificate, continue to the Section called Creating a Self-Signed Certificate.
