If you run a secure web server (e.g. apache-ssl or apache 2 with SSL support ), you need to have a SSL certificate.
You need a SSL certificate if you want to run TLS/SSL enabled imap and pop3 servers such as University of Washington's imapd and ipopd
This article shows you how to create a SSL certificate, using Open Source software.
It really is free.
However, if you work for large corporations or governments, don't do something useful like this,
go buy a SSL certificate (and keep paying every year). Your job is to spend lots of money to make you look important.
From a cryptographic perspective, there is no difference in security whether you use a self-signed
SSL certificate or buy an expensive SSL certificate. The only difference is perhaps cost and a convoluted sense of security:
after you spend money buying expensive SSL certificates from some unknown and self-declared "trust-worthy and reputable"
company, it must make you feel good. But back in your logical mind, you may be bothered by these haunting questions:
Have you ever met them ? Do you know where they are ? Do you know who they really are ? How long have you known them ?
Do you trust them more than you trust yourself ? Based on what evidence and logical thinking that make you think they are trust-worthy ?
Linux system:
( I assume your Linux box has openssl installed, most Linux systems have openssl installed )
( Note: 3650 days gives you approximately 10 years validity period; default 365 only gives you 1 year validity period )
| openssl req -new -x509 -days 3650 -nodes -out apache.pem -keyout apache.pem |
You will be asked to answer a few questions:
Country Code is a 2-letter code of the country your server is.
State or Province is a free-text field.
Locality is a free-text field, typically it is the city where the server is.
Organization Name is your company name, or use your own name.
Organization Unit is your department/division name, or enter your phone number, or the name of the machine.
Common Name is very important, it should be your web server's full external name such as www.mydomain.com
Email address is optional, it is expected that you enter your real email address.
The SSL certificate is now created as a file called apache.pem, copy this file to the directory where your apache web server needs it.
Restart the Apache server using /etc/init.d/apache force-reload
For Apache on Linux, you also need a symlink to the hash value of apache.pem Find out the hash value of apache.pem
| openssl x509 -hash -noout <> |
Create a symlink
| ln -sf apache.pem |
For Apache in Linux, change the file attribute
| chmod 600 apache.pem |
Windows system:
Download openssl-xxx-bin.exe from http://sourceforge.net/projects/gnuwin32/
Double click openssl-xxx-bin.exe and install files to c:\temp
Move or copy the .exe and .DLL files from c:\temp\GnuWin32\bin to c:\temp
Right click on this link and choose Save; save the configuration file to c:\temp
Pop a CMD screen (click Start, Run, cmd ), a black screen comes up, type cd c:\temp
| openssl req -config openssl.config -new -x509 -nodes -out apahce.pem -keyout apache.pem -days 3650 |
The certificate is now generated as a file called apache.pem, move this file to the place where your secure server needs it.
If you need a PKCS#12 SSL certificate, you can convert the apache.pem SSL certificate to PKCS#12 format.
| openssl pkcs12 -export -in apache.pem -out mycert.pfx -name "My Digital Certificate" |
Your PKCS#12 SSL certificate is now converted to a file called mycert.pfx
Reference: www.openssl.org
1 comments:
Amazing. I just created one with the help of this tutorial. All the steps have been described in detail. I am thankful to you for posting this informative article. Good job.
digital signature Adobe Reader
Post a Comment