Generate Ssl Certificate And Private Key

09.12.2020
43 Comments
  • Apr 12, 2020  When we create private key for Root CA certificate, we have an option to either use encryption for private key or create key without any encryption. As if we choose to create private key with encryption such as 3DES, AES then you will have to provide a passphrase every time you try to access the private key.
  • All SSL Certificates require a private key to work. The private key is a separate file that’s used in the encryption/decryption of data sent between your server and the connecting clients. A private key is created by you—the certificate owner—when you request.
  • The Certificate Authority (CA) provides you with your SSL Certificate (public key file). You use your server to generate the associated private key file where the CSR was created. You need both the public key and private keys for an SSL certificate to work properly on any system.
  • The private key for an SSL Certificate is something that is generated when you create a CSR. During the CSR creation process, the server will usually save the private key in one of its directories. During the CSR creation process, the server will usually save the private key in one of its directories.

Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.

Public key vs private key. Public key is embedded in the SSL certificate and private key is stored on the server and kept secret. When a site visitor fills out a form with personal information and submits it to the server, the information gets encrypted with the public key to protect if from eavesdropping. SSL.com’s public CSR and Key Generator is currently down for maintenance as part of our website’s redesign and update. We will be back soon with a new and updated version. In the mean time, we encourage our customers to learn about generating CSRs and keys in.

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.

If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for 'Common Name (e.g., YOUR name)'. It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.example.com, then enter public.example.com at this prompt. The command to generate the CSR is as follows:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

The newly created server.key file has no more passphrase in it.

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

To generate a temporary certificate which is good for 365 days, issue the following command:

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

Step 6: Configuring SSL Enabled Virtual Hosts on Apache

Step 7: Restart Apache and Test

Table of Contents

  • Overview
  • Contact Information
  • Private Key Options
  • Certificate information
  • Shared Secrets
  • Create

Table of Contents

  • Overview
  • Contact Information
  • Private Key Options
  • Certificate information
  • Shared Secrets
  • Create

Generate an SSL Certificate and Signing Request

Valid for versions 82 through the latest version

Last modified: October 7, 2019

Overview

This feature allows you to simultaneously generate both a self-signed SSL certificate and a certificate signing request (CSR) for a domain. You can also use this interface to generate private keys, which are essential for self-signed certificates and purchased certificates. To purchase a certificate, submit the CSR to your chosen certificate authority (CA). They will provide you with a certificate, typically in a .zip file via email.

For more information, read our Purchase and Install an SSL Certificate documentation.

Contact Information

To receive the SSL certificate, private key, and CSR in an email, enter an email address in the Email Address text box.

Select the When complete, email me the certificate, key, and CSR. checkbox to receive a copy of the request that this interface generates.

Do not select this checkbox if your email service provider does not support secure mail via SSL/TLS.

Private Key Options

Select the desired key size from the Key Size menu. We recommend that you choose 2,048 bits.

Certificate information

To generate an SSL certificate and CSR, perform the following steps:

  1. In the Domains text box, enter the domain name of the website that the certificate will secure.
    • You can enter a wildcard-formatted domain name to install the same certificate on any number of subdomains if they share an IP address. For example, you can use a wildcard certificate for *.example.com to securely connect to the mail.example.com and www.example.com domains.
    • You can also enter multiple domains, with one domain per line.
    • For more information about how to share SSL certificates, read our Manage SSL Hosts documentation.
  2. In the City text box, enter the complete name of the city in which your servers are located.
  3. In the State text box, enter the complete name of the state in which your servers are located.
  4. In the Country text box, select the country of origin for the certificate.
  5. In the Company Name text box, enter your business’s complete name.
    Some certificate authorities may not accept special characters in the Company Name and Company Division text boxes. If your company name includes symbols other than a period or a comma, ask your CA to confirm whether you can use these characters.
  6. In the Company Division section, enter the name of the department or group within the company. This information is optional.
  7. In the Email text box, enter a secure contact email address that your CA can use to verify domain ownership.

Shared Secrets

Enter a passphrase in the Passphrase text box if your certificate authority requires one for verification purposes.

Create

After you enter the correct information, click Create. WHM will display the CSR with its SSL certificate and private key.

  • Copy and paste these items into the correct directories.
  • If you provided an email address, the system also sends the information to that email address.
  • You can view the keys, certificates, and CSRs that you create in WHM’s SSL Storage Manager interface (WHM >> Home >> SSL/TLS >> SSL Storage Manager).
The system saves this information in the following directories on your servers:

Generate Ssl Certificate With Private Key Iis

  • CSR — /var/cpanel/ssl/system/csrs
  • SSL certificates — /var/cpanel/ssl/system/certs
  • Private keys — /var/cpanel/ssl/system/keys

If you purchased an SSL certificate, provide the CSR to the company from which you purchased the SSL certificate.

If you used a self-signed certificate, navigate to the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to install the certificate.

Generate Ssl Certificate And Private Key Example

Additional Documentation