SSLCertificateFile /path/to/this/public.crt SSLCertificateKeyFile /path/to/this/private.key SSLCertificateChainFile /path/to/intermediate.crt
- Generate Private Key:
openssl genrsa –des3 –out private.key 2048
Remove the password of the private key:
openssl rsa -in private.key -out private.key.new
mv private.key.new private.key
For all SSL certificates, the CSR key bit length must be 2048. - Generate the CSR:
openssl req –new –key private.key –out request.csr
(* to generate self signed key:
#openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt
)
Verify the CSR - Log into VeriSign Trust Center and upload the CSR.
- Wait about two days, when ready, download certificate public.crt
- Download VeriSign Secure Site Primary and Secondary Intermediate CA bundle. From VeriSign Intermediate CA Certificates
support page, "For Apache Web servers or similar, you only need to install the Intermediate CA Bundle according to your Certificate type.
- Verifying that a Private Key Matches a Certificate
openssl x509 -noout -text -in server.crt openssl rsa -noout -text -in server.key
The `modulus' and the `public exponent' portions in the key and the Certificate must match. Or
openssl x509 -noout -modulus -in public.crt | openssl md5 openssl rsa -noout -modulus -in private.key | openssl md5 openssl req -noout -modulus -in server.csr | openssl md5
Without the proper issuer chain/intermediate certificate, user will get "SSL Certificate Not Trusted Error" in the browser. Here's more detail on the subject and SSL Checker tool.
Links: Certificate Signing Request (CSR) Generation Instructions - Apache SSL
No comments:
Post a Comment