Create an SSL Certificate (Apache)

You can generate an RSA Private Key, Certificate Signing Request (CSR), and optional self-signed certificate by using OpenSSL. For your organization's internal or testing purposes, Aspera provides the PEM files aspera_server_cert.pem and aspera_server_key.pem, which are in the following directory:

/opt/aspera/etc/

About PEM Files:

PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into PEM format. Apache and other similar servers use PEM format certificates.

  1. Install OpenSSL.

    OpenSSL is used to generate an RSA Private Key and a Certificate Signing Request (CSR) and to generate self-signed certificates for testing purposes or internal usage.

    Your operating system might already have OpenSSL installed. If you do not have OpenSSL, you can install it from the Aspera-provided binary in the following location:

    aspera_install_dir/bin/

    You can also visit http://www.openssl.org/source for a repository of all OpenSSL distribution tarballs. Aspera recommends that you review your specific operating system's documentation for information on installing or upgrading OpenSSL packages.

    Important: (Solaris) If you are running Solaris, you might need to temporarily set your LD_LIBRARY_PATH to point to the Aspera OpenSSL libraries. Thus, before running OpenSSL, run the following commands in a Terminal window:
    $ LD_LIBRARY_PATH=/opt/aspera/lib:$LD_LIBRARY_PATH 
    $ export LD_LIBRARY_PATH

    After running Aspera OpenSSL, you can remove /opt/aspera/lib from the path.

  2. Generate your Private Key and Certificate Signing Request using OpenSSL by running the following command:
    $ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key -out my_csr_name.csr

    Where my_key_name.key is the name of the unique key you are creating and my_csr_name.csr is the name of your CSR.

  3. Enter your X.509 certificate attributes.
    The command in the previous step runs and prompts you to input the certificate's X.509 attributes.
    Important: The common name is the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the U.S., see http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.
    Generating a 1024 bit RSA private key
    ....................++++++
    ................++++++
    writing new private key to 'my_key_name.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
    State or Province Name (full name) [Some-State]:Your_State_Province_or_County
    Locality Name (eg, city) []:Your_City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
    Organizational Unit Name (eg, section) []:Your_Department
    Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
    Email Address []:johndoe@yourwebsite.com
    

    You are also prompted to enter "extra" attributes, including an optional challenge password. Note that manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering a challenge password by pressing ENTER.

    ...
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

    After finalizing the attributes, the private key and CSR are saved to your root directory.

    Important: If you make a mistake when running the OpenSSL command, you can discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be regenerated.
  4. Send the CSR to your signing authority.

    Send your unsigned CSR to a Certificate Authority (CA). Once the CSR is signed, you have a real certificate that can be used by Apache.

    Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Please check with your CA for additional information.
  5. Generate a Self-Signed Certificate (Optional).

    At this point, you might need to generate a self-signed certificate for either of the following reasons:

    • You don't plan on having your certificate signed by a CA (Some Aspera applications do not allow self-signed certificates)
    • You wish to test your new SSL implementation while the CA is signing your certificate

    When you use a self-signed certificate, it will generate an error in the client's browser to the effect that the signing certificate authority is unknown and not trusted.

    To generate a temporary certificate that is valid for 365 days, run the following command:

    openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
  6. Copy the key and signed certificate into the Apache /conf directory.

    Edit your httpd-ssl.conf file to point to the new key and certificate files. You can store the certificate and key in any directory, as long as the paths are updated in your configuration file. For additional information, see Enable SSL (Apache).