Australian Access Federation Support Desk

How to create an SSL certificate for your federated web service and get it signed

by Paul Stepowski Follow

For UNIX-like systems (e.g. Linux),  use the openssl utility to generate an SSL certificate using the following commands:

1.) Generate a private key and write it to a file:

openssl genrsa -out server.key 2048

 

2.) Generate a Certificate Signing Request (CSR) using the private key.

openssl req -new -key server.key -out server.csr

 

NOTE: Fill out the fields as appropriate for your service and organisation. Make sure that the "Common Name" field exactly matches the fully qualified domain name of your web service.

 

3.) Send the CSR to a Certificate Authority (CA) to be signed.

There are many CA's that can sign your CSR for you.  Some are free.  Some charge a fee.  AusCERT provides an SSL certificate signing service to AusCERT subscribers, which is available here.

 

4.) Once you have received the signed CSR back from the CA, use the signed CSR to generate a certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

 

5.) Copy both the key and the signed certificate to a secure location. It is imperative that you protect the privacy of the private key, or the confidentiality of your web service may be compromised.  Both of these files must not be owned by the web server software's user, but readable by the web server software's group.  Both of these files must be readable, but not writable, by the web server software.  No other users on the system, should be able to read the private key file.

chown root.httpd server.key server.crt
chmod 440 server.key server.crt

 

NOTE: If your SSL CA is an intermediary CA (such as AusCERT), you may need to copy the intermediary CA public certificate into your system's SSL keystore. On Red Hat Linux systems, the keystore is located in /etc/pki/tls/certs. This may vary across different operating systems.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk