How To Create SSL Key? – Before We Get Into The Topic , let’s Learn Some Basic Of This Topic
How to create a self-signed SSL Certificate?
The following is a very simplistic explanation of how SSL works and what role the certificate plays in the process.
Normal web traffic is sent across the Internet in an unencrypted format. That is, anyone with the correct equipment can eavesdrop on all of that data. Naturally, this can cause issues, particularly where security and privacy are required, such as with credit card information and bank transactions. The data stream between the web server and the web client is encrypted using the Secure Socket Layer (SSL) (the browser).
SSL employs asymmetric cryptography (also known as public-key cryptography) to protect data (PKI). Two keys are created in public-key cryptography: one public and one private. Only the associated key can decrypt anything encrypted with either key. As a result, if a message or data stream is encrypted with the server’s private key, it can only be decoded using the server’s public key, verifying that the data came from the server alone.
Why is a certificate required if SSL uses public-key cryptography to encrypt the data stream going over the Internet? The technical answer is that a certificate isn’t really required because the data is secure and difficult to decrypt by a third party. Certificates, on the other hand, play an important function in the communication process. The certificate, which is signed by a reputable Certificate Authority (CA), verifies that the certificate holder is who he says he is. Your data may be encrypted if you don’t have a trustworthy signed certificate, but the entity you’re dealing with could not be who you think. Impersonation attacks would be far more widespread if certificates were not available.
Step 1: Generate a Private Key
An RSA Private Key and a CSR are generated using the OpenSSL tools (Certificate Signing Request). It can also be used to create self-signed certificates that can be used for testing or internal purposes.
Create your RSA Private Key as the initial step. This key is a 1024-bit RSA key that is triple-DES encrypted and saved in a PEM format that may be read as ASCII text.
Step 2: Generate a CSR (Certificate Signing Request)
A Certificate Signing Request can be generated once the private key has been generated. After that, CSR is used in one of two ways. The CSR should ideally be transmitted to a Certificate Authority like Thawte or Verisign, which will authenticate the requestor’s identity and issue a signed certificate. The second alternative is to self-sign the CSR, as shown in the next section.
Several pieces of information will be requested during the CSR generating process. These are the certificate’s X.509 characteristics. “Common Name (e.g., YOUR name)” will be one of the prompts. This field must be filled in with the fully qualified domain name of the server for it to be protected by SSL. Enter public.akadia.com at this prompt if the website to be secured is https://public.akadia.com. To generate a CSR, use the following command:
Step 3: Remove Passphrase from Key
The pass-encrypted private key has the unwanted side effect of requiring the pass-encrypted private key each time the web server is launched. This is obviously inconvenient because someone may not always be available to key in the password, such as after a reboot or crash. Although mod SSL allows you to use external software instead of the built-in pass-phrase dialogue, this isn’t always the most secure alternative. The Triple-DES encryption can be removed from the key, eliminating the need to fill in a passphrase. This file must only be readable by the root user if the private key is no longer encrypted! The accompanying certificate will need to be revoked if your machine is ever compromised and a third party obtains your unencrypted private key. With that in mind, run the command below to delete the pass-phrase from the key:
Step 4: Generating a Self-Signed Certificate
Because you either don’t plan on having your certificate issued by a CA or you want to test your new SSL implementation while the CA is issuing your certificate, you’ll need to generate a self-signed certificate at this stage. This temporary certificate will cause the client browser to display an error message stating that the signing certificate authority is unknown and untrustworthy.
Issue the following command to generate a temporary certificate that is valid for 365 days:
Step 5: Installing the Private Key and Certificate
When you install Apache with mod SSL, it adds some directories in the Apache config directory. Depending on how Apache was built, the location of this directory will be different.