This is REALLY useful. Thanks. Gets right to the matter! Although this

will fix my issue the other people's replys are an interesting insight and

I shall follow advice and read about how x509 works.
On Sat, 14 Jun 2008, Dustin Lundquist wrote:
> Khalid Schofield wrote:

quoted text
>> So do I have to use pass phrases when generating the certificate? If I

>> use a pass phrase why? How does it effect the certificate and it's use?

>>

>> Also if I use a pass phrase do I have to tell apache about it? Does it

>> go in a config or do I have to enter it when reloading apache?

> You do not need a pass phrase, in fact usually a pass phrase will

> prevent apache from starting until you respond to the prompt to enter

> the pass phrase. If your server is going to be somewhere where there

> might be a power outage, or rebooted by someone who does not have the

> pass phrase it's generally a big headache.

>

> That being said, if there is a risk that someone could read your private

> key off your webserver, either by physically stealing the server or an

> untrusted admin, a pass phrase isn't a bad idea. But in this case you

> have to consider what else would be compromised, and if it's easier just

> to revoke that cert and get another one.

>

> My recommendation would be to not use a pass phrase for SSL services,

> but use a passphrase for a certificate that you use to sign other

> certificates: i.e. VPN user authentication, authenticating SSL users by

> issuing them each their own certificate, or similar.

>

> The process of setting up signed cert is as follows:

> 1. Generate your private key and secure file permissions (you want to do

> this in a secure fashion, i.e. on the box directly as a root or a

> private user). Guard this file: if it is compromised the security SSL

> provides is compromised.:

> openssl genrsa -out secure.example.com.key 4096

> chmod 400 secure.example.com.key

>

> 2. Generate your certificate signing request (CSR), you will be prompted

> to answer a bunch of questions country, state, location, organization,

> organization unit, common name and email address, answer these accuratly

> or else the certificate authority will not sign your key, there is one

> of special note: Common Name (CN) needs to be the exact domain name of

> your SSL site i.e. secure.example.com in this example:

> openssl req -new -nodes -key secure.example.com.key -out

> secure.example.com.csr

>

> 3. Send the CSR (you can open the file and copy and paste the contents

> into an email, or the certificate authority's website) to the

> certificate authority along with what ever other documentation they

> require (there job is to verify you are who you are requesting a

> certificate for before signing the key, they usally require some proof

> of domain ownership and everything else you entered in step 2).

>

> 4. You will then receive your signed certificate, you can either keep

> the certificate in a separate file from your private key, or cat them

> together to make a .pem file: cat secure.example.com.key

> secure.example.com.cert > secure.example.com.pem; chmod 400

> secure.example.com.pem

> Configure apache to use your new cert and key:

> SSLCertificateFile /etc/ssl/secure.example.com.cert

> SSLCertificateKeyFile /etc/ssl/secure.example.com.key

> - or -

> SSLCertificateFile /etc/ssl/secure.example.com.key

>

> Since apache is chrooted, have to restart it to read the new key and

> certificate.

>

>

>

> Dustin Lundquist