To install a SSL on your virtual private server, the first step is to generate a key for the Certificate Signing Request (CSR).
If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc, a key without a passphrase is often appropriate. Not having a passphrase allows the services to start without manual intervention, usually the preferred way to start a daemon.
1. To generate the keys for the CSR, run the following command from a terminal prompt:
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.....................++++++
.................++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:
2. You can now enter your passphrase. For best security, it should contain at least eight characters (minimum length is four characters). It should include numbers and/or punctuation. Please note: passphrases are case-sensitive.
3. Re-type the passphrase to verify. Once you have retyped it correctly, the server key is generated and stored in the server.key file.
4. Now create the insecure key, the one without a passphrase, and shuffle the key names:
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
The insecure key is now named server.key, and you can use this file to generate the CSR without a passphrase.
5. To create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
6. It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter your Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created, and it will be stored in the server.csr file.
You will need to copy the generated server.csr from your server to your local computer in order to upload the file to the CA.
7. You can now submit this CSR file to your Certiciate Authority you are purchasing your SSL certificate from for processing. The CA will use this CSR file and issue your SSL certificate.
This article assumes that you have already generated your keys and created a Certificate Signing Request (CSR). Instructions on how to complete that process can be found in Knowledge Base Article #1581.
The CSR is sent to the Certificate Authority (CA) you are purchasing the SSL certificate from. Once you have been sent the SSL certificate file by the CA, follow these steps to install it.
1. You will need to install the key file server.key and the certificate file issued by your CA. You will need to copy the cert generated by the CA from your local computer to your server (in order to use it in the path indicated below).
Run the following commands at a terminal prompt on your server:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
2. Next, you can simply configure any applications that have the ability to use public-key cryptography to use your SSL certificate and key files.
For example, Apache can provide HTTPS, Dovecot can provide IMAPS and POP3S, etc.