Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Using openssl.exe to make a self-signed wildcard certificate |
|
| Author |
|
Siddus
Joined: 07 May 2006
Posts: 4
|
 Posted: Sun 02 Feb '14 18:53 Post subject: Using openssl.exe to make a self-signed wildcard certificate |
 |
|
Hi, Siddus here ...
I am new to ssl and would like to get some help with creating a self-signed wildcard key and certificate using the included openssl.exe file.
Any and all help in this matter is appreciated 
Encryption should be as strong as I can use ..
brgds
Siddus |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Mon 03 Feb '14 12:15 Post subject: |
|
|
This is a small howto for configuring and creating self signed certificates with openssl under Windows.
Building a certificate for "localhost"
Open a command shell (cmd).
If you are using Windows 7, it's important to open it as admin or with admin-rights.
Then go to the installation-directory of the apache.
For example: "C:\Apache24"
(the openssl.exe is located at C:\Apache24\bin\)
First we have to generate a certificate signing request plus a private key.
(in the openssl.cnf file you can edit default_bits = 4096 and the certificate will be a strong one)
| Code: | | openssl req -config openssl.cnf -new -out localhost.csr -keyout localhost.pem |
You will be asked for some information:
PEM pass phrase: - a long and secure (not a simple) password
Country Name: - a two letter code for your country (swiss = CH; netherlands = NL, …)
State or Province Name: - the province you live in (optional)
Locality Name: - the city you live in (optional)
Organization Name: - (optional)
Organizational Unit Name: - (optional)
Common Name: - The complete domain, for what you are creating the certificate. In this case "localhost"
The correct entry is important, because the here choosen name is verified later!!!
Email Address - (optional)
A challenge password - This attribut you can ignore, because we will sign our certificate by ourself.
An optional company name - (optional)
As next step we will remove the passphrase/password from the private key and save it in a new file.
| Code: | | openssl rsa -in localhost.pem -out localhost.key |
At least we will generate our own certificate. Usually this is done by a CA, but in our case we are our own CA.
| Code: | | openssl x509 -sha512 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 3650 |
> If you want to generate one certificate for multiple servernames, this can be done with an additional "multidomain.cnf" file, in which the needed information has been placed before. This file can be included:
| Code: | | openssl x509 -sha512 -in localhost.csr -text -extfile multidomain.cnf -out localhost.crt -req -signkey localhost.key -days 3650 |
With the value -days 3650 the certificate is valid for 10 years. That should be enough.
To sum up we have built:
localhost.crs - A certificate signing request
localhost.pem - The private key
localhost.key - The private key without the passphrase
localhost.crt - The certificate
Configuration of the Apache with SSL-Support
Some things we have to do to get a "feathered headdress" for the apache. 
Therefore we open httpd.conf at the configuration directory of the apache and comment out the following lines:
Comment out the line with #LoadModule ssl_module modules/mod_ssl.so (delete the #)
Comment out the line with #Include conf/extra/httpd-ssl.conf (delete the #)
Then open httpd-ssl.conf and change the following:
Search for the line starting with SSLCertificateFile and change the path to the directory where your localhost.crt file is placed.
For example: SSLCertificateFile "C:/Apache24/conf/ssl/localhost.crt"
Then search for the line starting with SSLCertificateKeyFile and change the path to the directory where your localhost.key file is placed.
For example: SSLCertificateKeyFile "C:/Apache24/conf/ssl/localhost.key"
Don't forget to save the changes and to get the apache down from his horse and to put him back (Restart the service) and then https://localhost should work.
For the configuration of the cipher suites and the ssl level you can try:
| Code: | SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 |
To the admins in the forum: Pls feel free to check if everything is written in the right order and to correct the post in case of errors.
Last edited by jraute on Wed 28 Nov '18 11:13; edited 25 times in total |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Mon 03 Feb '14 20:10 Post subject: |
|
|
| for best possible encryption, in Qmpeltaty's link, Step 1, change the 1024 to 4096 |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Tue 04 Feb '14 16:16 Post subject: |
|
|
| glsmith wrote: | | for best possible encryption, in Qmpeltaty's link, Step 1, change the 1024 to 4096 |
Good point, however i use 2048 keys as i had heard that it might have impact for https page load speed on slow connections. Is that true ? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Tue 04 Feb '14 18:43 Post subject: |
|
|
| Certainly, the bigger the key the longer the CPU has to churn and although I am not positive, the larger the encrypted output possibly. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
|
| Back to top |
|
|
|
|
|
|
