Follow the steps below to generate an RSA Private Key, Certificate Signing Request (CSR), and optional self-signed certificate using OpenSSL. For your organization's internal or testing purposes, Aspera also provides the PEM files aspera_server_cert.pem and aspera_server_key.pem, which can be found in the following directory:
About PEM Files:
The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. Apache and other similar servers use PEM format certificates.
OpenSSL is used to generate an RSA Private Key and a Certificate Signing Request (CSR), and can also be utilized to generate self-signed certificates for testing purposes or internal usage. Your operating system may have OpenSSL already installed or may come with precompiled OpenSSL packages. For your convenience, Aspera provides an OpenSSL binary in the following location:
You can also visit http://www.openssl.org/source for a repository of all OpenSSL distribution tarballs. Aspera advises that you review your specific operating system's documentation for information on installing or upgrading OpenSSL packages.
In this step, you generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter the following command (where my_key_name.key is the name of the unique key you are creating and my_csr_name.csr is the name of your CSR):
$ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key -out my_csr_name.csr
After entering the command in the previous step, you are prompted to input several pieces of information, which are the certificate's X.509 attributes.
Generating a 1024 bit RSA private key ....................++++++ ................++++++ writing new private key to 'my_key_name.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [Some-State]:Your_State_Province_or_County Locality Name (eg, city) :Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) :Your_Department Common Name (i.e., your server's hostname) :secure.yourwebsite.com Email Address :firstname.lastname@example.org
You are also prompted to enter "extra" attributes, including an optional challenge password. Note that manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering a challenge password by pressing ENTER.
... Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
After finalizing the attributes, the private key and CSR will be saved to your root directory.
You now need to send your unsigned CSR to a Certificate Authority (CA). Once the CSR has been signed, you will have a real certificate, which can be used by Apache.
At this point, you may need to generate a self-signed certificate for either of the following reasons:
You may also generate a self-signed certificate through OpenSSL. This temporary certificate will generate an error in the client's browser to the effect that the signing certificate authority is unknown and not trusted. To generate a temporary certificate (which is good for 365 days), issue the following command:
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
After receiving your signed certificate from your CA, copy the files into Apache's /conf directory and edit your httpd-ssl.conf file (note that you can store the certificate and key in any directory, as long as the paths are updated in your configuration file. For additional information, see Enable SSL (Apache).