This tells the browser that the certificate it receives from the HTTPS website is valid for www.domain.com, it is valid between Feb 5 2015 and Feb 5 2016 and that it is signed by Issuer which the browser already trusts. Thus, the browser will not display a warning when it accesses the website at https://www.domain.com in the time interval when the certificate is valid. The security of HTTPS websites is founded on the basic principle (and more complex SSL handshake) that the public certificate provided by an HTTPS server to its clients is signed by a 3rd party – the Certificate Authority – that is trusted by these clients, as in the example above.
Signature Algorithm: sha256WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA Validity Not Before: Feb 5 02:45:55 2015 GMT Not After : Feb 5 15:43:21 2016 GMT Subject: C=NL, CN=www.domain.com/[email protected]
Generate encrypted private key / certificate
[email protected]:~# cd /etc/ssl/private/ [email protected]:/etc/ssl/private# openssl genrsa -h usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator
Now that we have the private key, the next step is to generate a certificate signing request which will need to be sent to a Certificate Authority for signing:
[email protected]:/etc/ssl/private# openssl genrsa -aes128 -out private.key 2048 Generating RSA private key, 2048 bit long modulus ..................................................+++ ...................................................+++ e is 65537 (0x10001) Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key:
In a next article, we will discuss how to enroll for a free ssl certificate with a trusted Certificate Authority.
[email protected]:/etc/ssl/private# openssl req -new -key private.key -out certificate.csr Enter pass phrase for private.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :New York Organization Name (eg, company) [Internet Widgits Pty Ltd]My Linux VPS Organizational Unit Name (eg, section) :VPS Common Name (e.g. server FQDN or YOUR name) :www.mydomain.com Email Address :[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : [email protected]:/etc/ssl/private# cat certificate.csr -----BEGIN CERTIFICATE REQUEST----- MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazER MA8GA1UEBwwITmV3IFlvcmsxFjAUBgNVBAoMDVZNeSBMaW51eCBWUFMxDDAKBgNV BAsMA1ZQUzEZMBcGA1UEAwwQd3d3Lm15ZG9tYWluLmNvbTEiMCAGCSqGSIb3DQEJ ARYTYW5kcmVpQG15ZG9tYWluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALOjKtbuRemm88No93EfoGeVZU+7IGr6AIaqX0esKDxq5Vtlm+71gc2z msRL6G7xJU4DvbBdOKBkSKaSdEhPt4uCtgHJpNSA1ez0s2FFXASbN3LPR9oxmyxl W8oCmAkZNP9B+H0i9kpRs3FtVQzb3fWVMw9slB7bh2p1ZZg/PJm7fE2uAg7vcMAg 9FL+MNKKq7WDSafGqvCV+kVYmguAmgGbsfq2wB0X6I9v0i7sx0Fxmc+B8ZwDj1us heq5Lt9kF4c63DEjfGhIG8wT8aCIgir7PdCHttppfJz4uXK092EI37ImwDl2lKsX +Rg2ojqhXzKbxtX4mZoZS0dUlOhladcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB AQA/zOGxiGx8JW4SCnY99bsaiA4zr/a0g33A7E/tSx4gNP9C5CKUk3TUNrZL0h4h dEwr5yNcp90UWo0zZ6TXid+XaaAcGaF63uX+GrE5lIBSmCX3BohHAaKlYIZG9Pr/ I0pSMfqU6dQQy4CbMiFy0hrBBgcdQIs1xeFVHtU8uG1nFAAsHM+7kaGIjD8yYiOo 4Hf+bEzN+PUEmOwRNsxs4tT4MpeR1U7BBRevtzh3sZ3pRNlJ2lPX/z2+P3rQUARc 9Fq92ORt5TrJHUnTO4tsYxBf8W5P9qckXbmMM9jkMfIDx5RQ0QaTxyaI1uO70Srg gMZSPb8FRdqtgc1Xha/FIAhK -----END CERTIFICATE REQUEST-----
You can actually try these SSL settings on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.