You must be root to generate a key.
First, use the cd command to change to
the /etc/httpd/conf/ directory. Remove
the fake key and certificate that were generated during the
installation with the following commands:
rm ssl.key/server.key
rm ssl.crt/server.crt
|
Next, create your own random key. Change to the /usr/share/ssl/certs/ directory and type in the
following command:
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
|
You now must enter in a passphrase. For security reason, it
should contain at least eight characters, include numbers and/or
punctuation, and it should not be a word in a dictionary. Also,
remember that your passphrase is case sensitive.
|
Note |
|
You are required to remember and enter this passphrase every
time you start your secure server. If you forget this passphrase,
the key must be completely re-generated.
|
Re-type the passphrase to verify that it is correct. Once you
have typed it in correctly, /etc/httpd/conf/ssl.key/server.key, the file
containing your key, is created.
Note that if you do not want to type in a passphrase every time
you start your secure server, you must use the following two
commands instead of make genkey to create
the key.
Use the following command to create your key:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
|
Then, use the following command to make sure the permissions are
set correctly for the file:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
|
After you use the above commands to create your key, you do not
need to use a passphrase to start your secure server.
|
Caution |
|
Disabling the passphrase feature for your secure server is a
security risk. It is not recommended that
you disable the passphrase feature for secure server.
|
Problems associated with not using a passphrase are directly
related to the security maintained on the host machine. For
example, if an unscrupulous individual compromises the regular UNIX
security on the host machine, that person could obtain your private
key (the contents of your server.key
file). The key could be used to serve webpages that appear to be
from your secure server.
If UNIX security practices are rigorously maintained on the host
computer (all operating system patches and updates are installed as
soon as they are available, no unnecessary or risky services are
operating, and so on), secure server's passphrase may seem
unnecessary. However, since your secure server should not need to
be re-booted very often, the extra security provided by entering a
passphrase is a worthwhile effort in most cases.
The server.key file should be owned by
the root user on your system and should not be accessible to any
other user. Make a backup copy of this file and keep the backup
copy in a safe, secure place. You need the backup copy because if
you ever lose the server.key file after
using it to create your certificate request, your certificate no
longer works and the CA is not able to help you. Your only option
is to request (and pay for) a new certificate.
If you are going to purchase a certificate from a CA, continue
to Section 26.7
Generating a Certificate Request to Send to a CA. If you
are generating your own self-signed certificate, continue to
Section 26.8 Creating
a Self-Signed Certificate.