Generating A Certificate Request To Send To A Ca - Red Hat ENTERPRISE LINUX 4 System Administration Manual

Use the following command to create your key:
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
Then, use the following command to make sure the permissions are set correctly for the file:
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
After you use the above commands to create your key, you do not need to use a passphrase to start
your secure server.
Warning
Disabling the passphrase feature for your secure server is a security risk. It is not
recommended that you disable the passphrase feature for secure server.
Problems associated with not using a passphrase are directly related to the security maintained on the
host machine. For example, if an unscrupulous individual compromises the regular UNIX security on
the host machine, that person could obtain your private key (the contents of your server.key file).
The key could be used to serve webpages that appear to be from your secure server.
If UNIX security practices are rigorously maintained on the host computer (all operating system
patches and updates are installed as soon as they are available, no unnecessary or risky services
are operating, and so on), secure server's passphrase may seem unnecessary. However, since your
secure server should not need to be re-booted very often, the extra security provided by entering a
passphrase is a worthwhile effort in most cases.
The server.key file should be owned by the root user on your system and should not be accessible
to any other user. Make a backup copy of this file and keep the backup copy in a safe, secure place.
You need the backup copy because if you ever lose the server.key file after using it to create your
certificate request, your certificate no longer works and the CA is not able to help you. Your only option
is to request (and pay for) a new certificate.
If you are going to purchase a certificate from a CA, continue to
Request to Send to a CA". If you are generating your own self-signed certificate, continue to
Section 25.8, "Creating a Self-Signed

25.7. Generating a Certificate Request to Send to a CA

Once you have created a key, the next step is to generate a certificate request which you need to
send to the CA of your choice. Make sure you are in the /usr/share/ssl/certs/ directory, and
type the following command:
make certreq
Your system displays the following output and asks you for your passphrase (unless you disabled the
passphrase option):
umask 77 ; \
/usr/bin/openssl req -new -key -set_serial num /etc/httpd/conf/ssl.key/server.key
Generating a Certificate Request to Send to a CA
Certificate".
Section 25.7, "Generating a Certificate
259