You must be root to generate a key.
First, use the cd command to change to the
/etc/httpd/conf/ directory. Remove the fake key
and certificate that were generated during the installation with the
following commands:
rm ssl.key/server.key
rm ssl.crt/server.crt |
Next, create your own random key. Change to the
/usr/share/ssl/certs/ directory and type in the
following command:
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase: |
You now must enter in a passphrase. For security reason, it should
contain at least eight characters, include numbers and/or punctuation,
and it should not be a word in a dictionary. Also, remember that your
passphrase is case sensitive.
| Note |
---|
| You are required to remember and enter this passphrase every time you
start your secure server. If you forget this passphrase, the key must
be completely re-generated.
|
Re-type the passphrase to verify that it is correct. Once you have typed
it in correctly,
/etc/httpd/conf/ssl.key/server.key, the file
containing your key, is created.
Note that if you do not want to type in a passphrase every time you start
your secure server, you must use the following two commands instead of
make genkey to create the key.
Use the following command to create your key:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key |
Then, use the following command to make sure the permissions are set
correctly for the file:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key |
After you use the above commands to create your key, you do not need
to use a passphrase to start your secure server.
| Caution |
---|
| Disabling the passphrase feature for your secure server is a security
risk. It is not recommended that you disable the
passphrase feature for secure server.
|
Problems associated with not using a passphrase are directly related
to the security maintained on the host machine. For example, if an
unscrupulous individual compromises the regular UNIX security on the
host machine, that person could obtain your private key (the contents of
your server.key file). The key could be used to
serve webpages that appear to be from your secure server.
If UNIX security practices are rigorously maintained on the host
computer (all operating system patches and updates are installed as soon
as they are available, no unnecessary or risky services are operating,
and so on), secure server's passphrase may seem unnecessary. However, since
your secure server should not need to be re-booted very often, the extra
security provided by entering a passphrase is a worthwhile effort in most
cases.
The server.key file should be owned by the root
user on your system and should not be accessible to any other user. Make
a backup copy of this file and keep the backup copy in a safe, secure
place. You need the backup copy because if you ever lose the
server.key file after using it to create your
certificate request, your certificate no longer works and the CA
is not able to help you. Your only option is to request (and
pay for) a new certificate.
If you are going to purchase a certificate from a CA, continue to Section 26.7 Generating a Certificate Request to Send to a CA. If you are generating your own
self-signed certificate, continue to Section 26.8 Creating a Self-Signed Certificate.