Appendix |
Generate your own private key, csr and pem file.
To generate a new certificate, follow the instructions provided below using the OpenSSL command-line binary (/opt/aspera/shares/bin/openssl).
In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter the following command (where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of your CSR):
$ openssl req -new -nodes -newkey rsa:2048 -keyout my_key_name.key -out my_csr_name.csr
After entering the command in the previous step, you will be prompted to input several pieces of information, which are the certificate's X.509 attributes.
Generating a 1024 bit RSA private key ....................++++++ ................++++++ writing new private key to 'my_key_name.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code State or Province Name (full name) [Some-State]:Your_State_Province_or_County Locality Name (eg, city) []:Your_City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company Organizational Unit Name (eg, section) []:Your_Department Common Name (i.e., your server's hostname) []:secure.yourwebsite.com Email Address []:johndoe@yourwebsite.com
You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that manually entering a challenge password when starting the server can be problematic in some situations (e.g., when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the "enter" button.
... Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
After finalizing the attributes, the private key and CSR will be saved to your root directory.
You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you will have a real Certificate, which can be used by Apache.
At this point, you may need to generate a self-signed certificate because:
You may also generate a self-signed certificate through OpenSSL. This temporary certificate will generate an error in the client's browser to the effect that the signing certificate authority is unknown and not trusted. To generate a temporary certificate (which is good for 365 days), issue the following command:
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt