About
Contact
Journal
Carrera
Projects
Affiliation
Notables
Creative
Résumé
Notary
Photos
Quotes
"Stuff"
Legal

austin weather

partly cloudy

partly cloudy
12°C

David McNett

SSL Certificate Cheatsheet

SSL Certificates?

Here's a handy step-by-step cheatsheet listing the process by which you can generate an SSL certificate to use on a server that needs to support SSL connections. This will work for Apache, UnrealIRCD, Dovecot, or just about any other piece of software that listens for SSL connections. These commands should work just fine on any reasonably-modern Unix system.

Step One: Cut a hole in a box

Actually, step one is to generate your private key: 

openssl genrsa 1024 > servername.key

This will give you a servername.key file which contains your private key. Don't let anyone else gain access to this file. It's private.

Next you need to generate a "certificate signing request" which you'll send off to a certificate authority to be signed by them: 

openssl req -new -key servername.key > servername.csr

Take that .csr file and send it to the certificate authority of your choice. There are zillions of them if you intend to pay for a "real" certificate that will just work. If you're too cheap to spend any money or if the certificate is for an internal-use server only then you'll be almost as happy by using a free certificate authority like CACert. Resist the temptation to make your own certificate authority or to just make a self-signed key. Really. If your budget is $0 you should use CACert. For "mainstream" certs I like RapidSSL but they're all pretty much the same.

A general rule-of-thumb is to use a mainstream certificate authority if your intended users are normal people. Use CACert if your users will be nerds and geeks and techie people and you want to save a few bucks.

If you've done everything correctly, your certificate authority will take your .csr file and give you back a .crt file. This may be all you need. Some software will expect separate .key and .crt files. If that's the case, you're all set. If your software wants a .pem file, there's one more step to take... 

cat servername.key servername.crt > servername.pem
openssl gendh >> servername.pem

That will create a .pem file from your .key and .crt. Since the .pem file contains the private key, you'll want to be just as careful with it as you would be with the .key file. It's not intended to be public or world-readable.

If you're curious and want to verify the contents of the .pem file, here's a handy command which will tell you what's inside it: 

openssl x509 -noout -text -in servername.pem

Hope that's useful! Comments or suggestions are welcomed.

© Copyright 1995-2008 David McNett. All Rights Reserved.

contacts comments