分类:
2010-12-15 12:38:18
An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.
A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.
See the chapter for a general description of the SSL protocol.
Yes. In general, starting Apache with
built-in is just like starting Apache
without it. However, if you have a passphrase on your SSL private
key file, a startup dialog will pop up which asks you to enter the
pass phrase.
Having to manually enter the passphrase when starting the server can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps to remove the passphrase from your private key. Bear in mind that doing so brings additional security risks - proceed with caution!
PATH
.server.key
and
server.crt
files:$ openssl req -new -x509 -nodes -out server.crt
-keyout server.key
httpd.conf
file:
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
server.key
does not have any passphrase.
To add a passphrase to the key, you should run the following
command, and enter & verify the passphrase as requested.$ openssl rsa -des3 -in server.key -out
server.key.new
$ mv server.key.new server.key
server.key
file, and the passphrase
you entered, in a secure location.
Here is a step-by-step description:
PATH
.
$ openssl genrsa -des3 -out server.key 1024
server.key
file and the
pass-phrase you entered in a secure location.
You can see the details of this RSA private key by using the command:$ openssl rsa -noout -text -in server.key
$ openssl rsa -in server.key -out server.key.unsecure
$ openssl req -new -key server.key -out server.csr
, enter "" here.
You can see the details of this CSR by using$ openssl req -noout -text -in server.csr
$ openssl x509 -noout -text -in server.crt
server.key
and
server.crt
. These can be used as follows in your
httpd.conf
file:
SSLCertificateFile /path/to/this/server.crtThe
SSLCertificateKeyFile /path/to/this/server.key
server.csr
file is no longer needed.
The short answer is to use the CA.sh
or CA.pl
script provided by OpenSSL. Unless you have a good reason not to,
you should use these for preference. If you cannot, you can create a
self-signed Certificate as follows:
$ openssl genrsa -des3 -out server.key 1024
host.key
file and the
pass-phrase you entered in a secure location.
You can see the details of this RSA private key by using the
command:$ openssl rsa -noout -text -in server.key
$ openssl rsa -in server.key -out server.key.unsecure
$ openssl req -new -x509 -nodes -sha1 -days 365
-key server.key -out server.crt
server.crt
file.$ openssl x509 -noout -text -in server.crt