Khalid Schofield wrote:

quoted text
> So do I have to use pass phrases when generating the certificate? If I

> use a pass phrase why? How does it effect the certificate and it's use?

>

> Also if I use a pass phrase do I have to tell apache about it? Does it

> go in a config or do I have to enter it when reloading apache?

You do not need a pass phrase, in fact usually a pass phrase will

prevent apache from starting until you respond to the prompt to enter

the pass phrase. If your server is going to be somewhere where there

might be a power outage, or rebooted by someone who does not have the

pass phrase it's generally a big headache.

That being said, if there is a risk that someone could read your private

key off your webserver, either by physically stealing the server or an

untrusted admin, a pass phrase isn't a bad idea. But in this case you

have to consider what else would be compromised, and if it's easier just

to revoke that cert and get another one.
My recommendation would be to not use a pass phrase for SSL services,

but use a passphrase for a certificate that you use to sign other

certificates: i.e. VPN user authentication, authenticating SSL users by

issuing them each their own certificate, or similar.
The process of setting up signed cert is as follows:

1. Generate your private key and secure file permissions (you want to do

this in a secure fashion, i.e. on the box directly as a root or a

private user). Guard this file: if it is compromised the security SSL

provides is compromised.:

openssl genrsa -out secure.example.com.key 4096

chmod 400 secure.example.com.key
2. Generate your certificate signing request (CSR), you will be prompted

to answer a bunch of questions country, state, location, organization,

organization unit, common name and email address, answer these accuratly

or else the certificate authority will not sign your key, there is one

of special note: Common Name (CN) needs to be the exact domain name of

your SSL site i.e. secure.example.com in this example:

openssl req -new -nodes -key secure.example.com.key -out

secure.example.com.csr
3. Send the CSR (you can open the file and copy and paste the contents

into an email, or the certificate authority's website) to the

certificate authority along with what ever other documentation they

require (there job is to verify you are who you are requesting a

certificate for before signing the key, they usally require some proof

of domain ownership and everything else you entered in step 2).
4. You will then receive your signed certificate, you can either keep

the certificate in a separate file from your private key, or cat them

together to make a .pem file: cat secure.example.com.key

secure.example.com.cert > secure.example.com.pem; chmod 400

secure.example.com.pem

Configure apache to use your new cert and key:

SSLCertificateFile /etc/ssl/secure.example.com.cert

SSLCertificateKeyFile /etc/ssl/secure.example.com.key

 - or -

SSLCertificateFile /etc/ssl/secure.example.com.key
Since apache is chrooted, have to restart it to read the new key and

certificate.
Dustin Lundquist