SSL server

SSL: Cryptography & authentication

Principle and law disclaimer


An Authority of Certification is required to ensure your certificates.

Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification:

Legal aspects

You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

Region Law
Sweden to be done
European Union to be done


Install packages

apt-get install openssl

Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl

Create ssl structure

mkdir certs crl newcerts private export

Initialize values

echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .

OpenSSL root configuration

During the process you’ll have to enter the same data many times:

>> You should edit the default values

Adjust default values

Edit openssl.cnf:

vim /srv/ssl/openssl.cnf

Set the working directory:

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      =             # [line 140]
emailAddress_default            =    # [line 154]

Authority of Certification (CA)

Difference between local / commercial Authority of Certification [CA]

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal Commercial
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.

Choose an authority of certification and subscribe to a wildcard domain certification.

In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)

Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.

openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations

Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.key \
-out cacerts.pem \
-days 3600

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) []:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: CA
  • Email Address []:

Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)

You can check result by:

openssl x509 -in cacerts.pem -text -noout

[Alternative] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate

Server certificate

Go to the working directory:

cd /srv/ssl

Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


openssl genrsa -aes256 -out private/ -rand ./ 4096

Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.

!! If your private key is encrypt then it cannot be used at startup !!

So, for services like Apache2, you have to decipher the key:

openssl rsa -in private/serverName.key -out private/serverName.nopass.key

Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) []:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []:
  • Email Address []:

!! Do not use a challenge password !!

Sign the server request

Auto-sign - using your personal CA

openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600

Some explanations:

Parameter meaning
-config the local OpenSSL configuration file
-in Incoming certificate request. = previous .req file
-out Target certificate file
-cert CA certificate to use
-days Certificate validity time (in days)

You can check result by:

cat /srv/ssl/certs/serverName.cert.pem

[Alternate] Send the request to the CA

You have to send the “.req” file to the CA. They will send you back the certificate.

Export certificate

To export a certificate, it must be in PKCS12 format.

You have to perform the following for each and every certificate you’d like to export.

cd /srv/ssl

openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12
  • Do not put an export password.
  • You should use the non-protected key if you want to use that export with some Linux services.


openssl pkcs12 -export \
-descert -inkey private/ \
-in certs/ \
-certfile cacerts.pem \
-name "Certicate development server" \
-out export/

Distribute the certificate with Apache2

see Apache 2 - SSL certificates page