An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

See the chapter for a general description of the SSL protocol.

Yes. In general, starting Apache with built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private key file, a startup dialog will pop up which asks you to enter the pass phrase.

Having to manually enter the passphrase when starting the server can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps to remove the passphrase from your private key. Bear in mind that doing so brings additional security risks - proceed with caution!

1. Make sure OpenSSL is installed and in your PATH.
   
   
2. Run the following command, to create server.key and server.crt files:
   $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
   These can be used as follows in your httpd.conf file:

                SSLCertificateFile    /path/to/this/server.crt
                SSLCertificateKeyFile /path/to/this/server.key
   	

3. It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.
   

   $ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
   

   Please backup the server.key file, and the passphrase you entered, in a secure location.

Here is a step-by-step description:

1. Make sure OpenSSL is installed and in your PATH.
   
   
2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
   
   $ openssl genrsa -des3 -out server.key 1024
   
   Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
   
   $ openssl rsa -noout -text -in server.key
   
   If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
   
   $ openssl rsa -in server.key -out server.key.unsecure
   
   
3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
   
   $ openssl req -new -key server.key -out server.csr
   
   Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via , enter "" here. You can see the details of this CSR by using
   
   $ openssl req -noout -text -in server.csr
   
   
4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
   Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:
   
   
   1. Verisign
      
   2. Thawte
      
   3. CertiSign Certificadora Digital Ltda.
      
   4. IKS GmbH
      
   5. Uptime Commerce Ltd.
      
   6. BelSign NV/SA
      
   For details on how to create your own CA, and use this to sign a CSR, see .
   Once your CSR has been signed, you can see the details of the Certificate as follows:
   
   $ openssl x509 -noout -text -in server.crt
   
5. You should now have two files: server.key and server.crt. These can be used as follows in your httpd.conf file:

          SSLCertificateFile    /path/to/this/server.crt
          SSLCertificateKeyFile /path/to/this/server.key
          

   The server.csr file is no longer needed.

The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. Unless you have a good reason not to, you should use these for preference. If you cannot, you can create a self-signed Certificate as follows:

1. Create a RSA private key for your server (will be Triple-DES encrypted and PEM formatted):
   
   $ openssl genrsa -des3 -out server.key 1024
   
   Please backup this host.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
   $ openssl rsa -noout -text -in server.key
   
   If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
   
   $ openssl rsa -in server.key -out server.key.unsecure
   
   
2. Create a self-signed Certificate (X509 structure) with the RSA key you just created (output will be PEM formatted):
   
   $ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
   
   This signs the server CSR and results in a server.crt file.
   You can see the details of this Certificate using:
   
   $ openssl x509 -noout -text -in server.crt