Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: ssl-cert_man

deleted Generate an SSL-Certificate manually webpage
# Generate an SSL-Certificate manually
FIXME - Could contain errors, no native translator - Remove this when all errors are deleted
## Introduction
During the [Installation](/installation), there will be an self-signed SSL-Certificate(v1) generated, based on (in the setup process) specified [host name and domain](/installation/start#hostname & domain), to enable https-access to the WUI of IPFire via port 444.
If you change the host name and/or domain name afterwards, then the SSL-Certificate had to be rebuilt, because otherwise the browser will not only complains about the self-signed certificate, but also about the lack of conformity between the URL and the, in the SSL certificate included, Common Name.
Generating of an SSL certificate is not difficult, if you follow a few things and knows, where the SSL certificate is stored.
## Step-by-step Instructions
### Access the IPFire via SSH
Use this command:
`cd /etc/httpd/`
to change into the configuration folder of the installed Apache.
### Backup the existing keys and certificates
Use this command:
`cp server.key server.key.old &&`
`cp server.csr server.csr.old &&`
`cp server.crt server.crt.old`
to save the existing files:
* server.key (private key, essential to create [CSR](wp>Certificate_signing_request) and SSL-Certificate)
* server.csr ([CSR](wp>Certificate_Signing_Request) (Certificate Signing Request), Request-file to build an SSL-Certificate)
* server.crt (the [SSL-Certificate](wp>Digital_Certificate) himself ;) )
in the current folder (/etc/httpd).
### Create a new private key
<WRAP important center round 80%>If you don't want to create a new private.key, ignore this Step.
All SSL-certificates, which based on the old server.key, will be invalid through a new private key!</WRAP>
Use this command:
`openssl genrsa -out server.key 2048`
to create a new private key **without pass phrase**.
The number at the end(2048) set the strength of the new generated private key.
Today used values are 2048 or higher, because values under 2048 could be decoded (and so the SSL communication between client<=>server) to easily and should not be used! Be warned.
Back-draw of higher values are a higher system load to encrypt/decrypt the SSL-Communication.
Use this command:
`openssl genrsa -des3 -out server.key 2048`
to create a new private key **with pass phrase** (Password):
It is not recommended to use a private key with pass phrase, because otherwise somebody had to type the password each time on the console when someone try to establish an SSL-connection, or you have to store the pass phrase within the https-configuration of your Apache installation.
### Generate a new CSR (Certificate Signing Request)
Use this command:
`openssl req -new -key server.key -out server.csr`
to create the new CSR.
<WRAP important center round 80%>It is important, that you have to set the Common name to the correct host name & domain name (f.e. ipfire.my-domain) of your IPFire-System</WRAP>
### Create a new SSL-Certificate
Use this command:
`openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt`
to create a new self-signed SSL-Certificate.
The new created certificate are valid for one year (-days 365) until the time of creation.
If you need a greater time frame, just increase the -days option to a higher value.
### Restart the Apache web server
Use this command:
`/etc/init.d/apache restart`
to restart the web server.
If you want to check the new certificate, just start your browser, access the WUI of your IPFire via https://<hostname>.<domainname>:444 and check the certificate details with a click on the lock icon in the URL-bar of your browser.