First you’ll need a key:
openssl genrsa -des3 -out server.key 4096
Using the -des3 option will require you enter a password when Apache starts up. If you wish to avoid that gotcha, then simply leave out the -des3 option:
openssl genrsa -out server.key 4096
Then, generate a certificate signing request from the key:
openssl req -new -key server.key -out server.csr
If you wish to have the certificate expire in a certain number of days, then use the -days option:
openssl req -days 1095 -new -key server.key -out server.csr
Now, go to a certificate authority and generate a certificate using the certificate signing request. http://www.cacert.org is a free certificate authority you can use. Read more about them here: CAcert at Wikipedia Cut and paste the entire generated certificate into a new file called server.crt. Install the crt and key files into a place where apache can find them.
Then as root:
1 2 3
Now you’ll need to install this into Apache’s configuration file, httpd.conf. Note that if this certificate is used, you’ll need to enter in a passphrase when Apache starts up. We can disable that requirement. More on that later. Put this entry into your httpd.conf file if you wish for all traffic to your site to be secure:
1 2 3 4 5 6 7 8 9 10 11 12 13
Now to remove the passphrase from the certificate so Apache will boot without interaction:
openssl rsa -in server.key -out server.key.nopass
Then use the nopass key instead of the original server.key.