wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


optimization:ssl_cert

Generate an SSL-Certificate manually

Introduction

During the Installation, there will be a self-signed SSL-Certificate(v1) generated, based on (in the setup process) specified host name and domain, to enable https-access to the WUI of IPFire via port 444.

If you change the host name and/or domain name afterwards, then the SSL-Certificate has to be rebuilt, otherwise the browser will not only complain about the self-signed certificate, but also about the lack of conformity between the URL and the SSL certificate included.

Generating an SSL certificate is not difficult, if you follow a few things and know, where the SSL certificate is stored.

Step-by-step Instructions

Backup the existing keys and certificates

The [certificatename].key and the corresponding SSL-Certificate are stored in the folder /etc/httpd of a standard IPFire installation. At first you should backup the existing certifcate which you want to replace.

Use the commands:

cp [certificatename].key [certificatename].key.old &&
cp [certificatename].csr [certificatename].csr.old &&
cp [certificatename].crt [certificatename].crt.old

to save the existing files:

  • [certificatename].key (private key, essential to create CSR and SSL-Certificate)
  • [certificatename].csr (CSR (Certificate Signing Request), Request-file to build an SSL-Certificate)
  • [certificatename].crt (the SSL-Certificate)

in the current folder (/etc/httpd).

Create a new private key

If you don't want to create a new private.key, ignore this Step. All SSL-certificates, which are based on the old [certificatename].key, will be invalid through a new private key!

Use this command:

openssl genrsa -out [certificatename].key 2048

to create a new private key without pass phrase.

The number at the end (2048) sets the strength of the new generated private key. Currently used values are 2048 or higher, because values under 2048 could be decoded (and so the SSL communication between client⇔server) to easily and should not be used! Be warned. Back-draw of higher values are a higher system load to encrypt/decrypt the SSL-Communication.

Use this command:

openssl genrsa -des3 -out [certificatename].key 2048

to create a new private key with pass phrase (Password):

It is not recommended to use a private key with pass phrase, because otherwise someone can type the password each time in the console when someone trys to establish an SSL-connection, or you have to store the pass phrase within the https-configuration of your Apache installation.

Generate a new CSR (Certificate Signing Request)

Use this command:

openssl req -new -key [certificatename].key -out [certificatename].csr

to create the new CSR.

It is important, to set the Common name to the correct host name & domain name (f.e. ipfire.my-domain) of your IPFire-System

Create a new SSL-Certificate

Use this command:

openssl x509 -req -days 365 -in [certificatename].csr -signkey [certificatename].key -out [certificatename].crt

to create a new self-signed SSL-Certificate.

The new created certificate is valid for one year (365 days) from the time of creation. If you need a greater time frame, just increase the days option to a higher value.

Restart the Apache web server

Use this command:

/etc/init.d/apache restart

to restart the web server.


If you want to check the new certificate, just start your browser, access the WUI of your IPFire via https:<hostname>.<domainname>:444 and check the certificate details with a click on the lock icon in the URL-bar of your browser.

optimization/ssl_cert.txt · Last modified: 2018/09/06 23:50 by Jon