SSL certificates Apache / OpenSSL

A customer ordered a few webSSL certificates from a public certificate authority (in this case, Thawte). In one specific Windows server Apache with openSSL is used. It took me some time to figure out the complete proces for requesting and completing the certificate. This blog post is about the complete certificate proces: creating the certificate request till export of the certificate chain to a pfx file.
The first part is about requesting the certificate:

  • Generate a private key:
    • openssl genrsa -des3 -out server.key 2048
    • Backup the server.key and don’t publish this file. Remember the passphrase you used with this file!
  • Create a certificate request (csr)
    • openssl req -new -key server.key -out webmail.domain.com.csr
    • Carefully check the wizard:
      • Enter pass phrase for server.key:
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter ‘.’, the field will be left blank.
        —–
        Country Name (2 letter code) [NL]:NL
        State or Province Name (full name) [Berkshire]:.
        Locality Name (eg, city) [Newbury]:Amsterdam
        Organization Name (eg, company) [My Company Ltd]:<Company name>
        Organizational Unit Name (eg, section) []:IT
        Common Name (eg, your name or your server’s hostname) []: <certificatename, like: webmail.domain.com>
        Email Address []:Please enter the following ‘extra’ attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:

Use the generated CSR file (webmail.domain.com.csr) for requesting the certificate at your certificate authority. You can check the csr file by copy/pasting it into this website: https://www.networking4all.com/en/support/tools/csr+check/ 
Double check the common name!
When your certificate authority generated the certificate, you’ll receive an email with a certificate in text format. Something like this:
—–BEGIN CERTIFICATE—–
ZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAyMDA2IHRoYXd0ZSwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQDExZ0aGF3dGUgUHJpbWFyeSBS
VVMxFTATBgNVBAoTDFRoYXd0ZSwgSW5jLjEWMBQGA1UEAxMNVGhhd3RlIFNTTCBD
……..
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIG
CCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilo
9cvGtEwO11bccSB0ONZ0xtaPa6+LjaBsKQth4AAAMQAAAAAAAAA=
—–END CERTIFICATE—–
Copy / paste this into notepad
Edit the header and footer:
From: —–BEGIN CERTIFICATE—–
To: —–BEGIN PKCS7—–
From: —–END CERTIFICATE—–
To: —–END PKCS7—–
Save this file with a .pk7 file extension. In my case: webmail.pk7
Open your command prompt again:

  • First, convert this .pk7 file to a .der file
    • openssl pkcs7 -in webmail.pk7 -print_certs -out webmail.der
  • You can export this certificate, with private key and complete certificate chain:
    • openssl pkcs12 -export -in webmail.der -inkey server.key -out webmail.pfx -name “webmail.certificate”
Now, edit your apache configuration (virtualhost) for using the certificates.

 
 

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *