Creating OpenSSL certificates for Apache in OES or Linux

  • 3911570
  • 09-Feb-2007
  • 03-Jul-2012


There are two kinds of certificates in OES. One is stored in eDirectory, and is used by the LDAP procedures. The other set of certificates is used by the Apache web server. This is one of the setup processes for the Apache web server (there are many methods, depending on what may be needed).


Creating SSL Certificates for Apache in OES or Linux


Step 1- First, if you are going to sign your own certificates, do this once to set up your Certificate Authority (commonly abbreviated as "CA"). The procedure is :

mkdir /etc/ssl
chown -R root /etc/ssl
chmod g-rwx /etc/ssl
chmod o-rwx /etc/ssl

mkdir /etc/ssl/demoCA
touch /etc/ssl/demoCA/index.txt
echo '00000000'>> /etc/ssl/demoCA/serial
openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/ca.key -out /etc/ssl/ca.crt -days 1095

Step 2- Next, create a signing request. This request can be sent to a third party certificate service for signing. The procedure is :

openssl req -new -nodes -out /etc/ssl/site.csr -keyout /etc/ssl/site.key

Step 3- Now, the certificate request can be signed by the third party, or create it as a "self-signed" certificate. Self-signed certificates are free, and the procedure requires the section for signing your own certificates above. Sign them using :

cd /etc/ssl
openssl ca -cert /etc/ssl/ca.crt -keyfile /etc/ssl/ca.key -out /etc/ssl/site.crt -outdir /etc/ssl -infiles /etc/ssl/site.csr

You should now have a new certificate and the key for your OES server.

Additional Information

Note that the certificate files (*.crt files), and the key files (*.key), and any PEM (*.pem) files should be backed up in case of data loss. If the .key files are lost, the certificates will no longer be operational, as the certificates are based on the keys. In this situation, a new certificate must be procured using the above procedure.

See KB 10096990 [no longer available] on Certificates in Apache

Formerly known as TID# 10096988
If configuring Apache on  SLES (10 or 11), OES2 or OES11 to use a 3rd party certificate, please see TID 7009962