This is a summary for getting a properly-signed certificate to use with a web server. Probably the same or similar process for other servers, e.g. LDAP.
- Generate an RSA private key for your server.
- Create a Certficate Signing Request (CSR), specifying the above RSA private key as the key.
- Verify the CSR.
- Send the CSR to a Certificate Authority (CA).
- The CA will send back:
- Your signed SSL certificate, in several files in several formats. Our CA gives these four:
- Certificate with chain, PEM encoded - foobar_example_com.cer
- Certificate only, PEM encoded - foobar_example_com_cert.cer
- Certificate as PKCS#7, PEM encoded - foobar_example_com.crt
- Certificate as PKCS#7 - foobar_example_com.p7b
- An intermediate CA certificate file. This can be thought of as a child of the root CA certificate, which is private and protected by the CA. Our CA gives this file:
- Root/Intermediate(s) only, PEM encoded - foobar_example_com_interm.cer
- Possibly a reverse intermediate CA certificate. I am actually not certain what this is.
/etc/pki/tls/
# cd /etc/pki/tls/private# openssl genpkey -algorithm RSA -out foobar.example.com.key -pkeyopt rsa_keygen_bits:2048
The private key is now in:
/etc/pki/tls/private/foobar.example.com.key
Keep this key private, i.e. root-only access.
Next, create a CSR using that newly-created key, also specifying the FQDN to be associated with the certificate that you are requesting:
# cd /etc/pki/tls/certs
# openssl req -sha512 -new -key /etc/pki/tls/private/foobar.example.com.key -out foobar.example.com.csr
# openssl req -noout -text -in foobar.example.com.csr
- foobar_example_com_cert.cer - the signed certificate
- foobar_example_com_interm.cer - the intermediate CA certificate
- foobar_example_com_interm_reverse.cer - the reverse intermediate CA certificate
- signed certificate - /etc/pki/tls/certs/foobar_example_com_cert.cer
- intermediate CA certificate - /etc/pki/tls/certs/foobar_example_com_interm.cer
- reverse intermediate CA certificate - /etc/pki/tls/certs/foobar_example_com_interm_reverse.cer
<VirtualHost _default_:443>…SSLCertificateFile /etc/pki/tls/certs/foobar_example_com_cert.cerSSLCertificateChainFile /etc/pki/tls/certs/foobar_example_com_interm.cer…</VirtualHost>
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt