Free Apache ssl certificate installation for a web portal


My server running with RH 9, using Apache ssl one portal running on same server. When I type  it showing a "security Alert" certificate. But my previous administrator created it to localhost. In that certificate under view certificate tab I found
Issued to  : localhost.localdomain
Issued by  : localhost.localdomain

My company not in a possession to buy a certificate from CA. So, I want to generate a 128-bit encryption free ssl certificate to my portal. Then, once any one installed the certificate in a system, "Security Alert" won't display again in that particular system.

Here I want a step by step help … How to generate a certificate on my domain name ?
And where I have to put that? To display “Security Alert” with domain name.

I posted the same under Networking catogiry but I didn't get proper response.

Thanks  ==>  who are helping in EE.

Who is Participating?
You can create certificate yourself. Apparently your previous administrator did that.

I am going to describe the procedure with openSSL. If you have Linux you will need to get openssl and or script. In RedHat you can get them by installing openssl and openssl-misc packages.

First you need to create Certificate Authority (CA), which is authorised to sign certificates. Make a new CA with: -newca

Then you have to make a Certificate Request that will be signed by your newly created CA. If you have Windows and IIS you will make certificate request in IIS. If you use Apache or web server that doesn't create certificate request by itself you can create one with: -newreq

This command will put certificate request into file newreq.pem. On Linux usualy in /etc/ssl. If you created certificate request from web server you must put it in newreq.pem. Be carefull with values you put in certificate request. CN must be your hostname (for instance Without http://. Just domain name.

Signing the request is the last part before providing certificate to the web server. Try this: -sign

This command will sign the certificate request that must be in file newreq.pem and make new file newcert.pem. newreq.pem and newcert.pem are both text files. In windows just import newcert.pem and that's it. In Apache you will have to find private key and signed certificate and put them in separate files and then provide them to Apache. Apache will then want to have your password for private key every time you will start it. To avoid this use the following command:

openssl rsa -in keyfile -out keyfile

I hope this helps.
All SSL certificates not issued by one of the recognized certificate authorities (Verisign, Thawte, etc) will produce a "security warning" on a clinet browser. This is because the browser can't verify the authenticity of the certificate. So if you want that "Security Alert" to go away you'll have to purchase a certificate.

that is not completely true. You can sign your own certificate or get a free one from for example. In that case the user needs to install a root certificate in order to avoid "Security Alert". For limited amount of controlable users that is OK. If you need to provide SSL for larger user comunity buying a certificate is definitely cheaper than provide them with help and support.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

> So if you want that "Security Alert" to go away you'll have to purchase a certificate.
not realy true.
If all clients have a root CA which signed the other one there is no alert.
To generate your own ssl cert, you can also use OpenSSL but it's not quite easy to use.

or you can try JavaCA:

If you don't want the "Security Alert", you have to import your CA certificate into your cert store.

How to import:

Moreover, remember to choose your CN=<your_host_name> when generating CSR.
all these description do solve the problem only on server side, each reliable client (browser) still warns you for self-generated, self-signed certificates. It does this as long as the provided cert (from the server) is not signed by one of the trusted root CAs (the browser knows). See my first comment also.
That's why you need to import self signed CA cert to IE cert store.

> How to import:
I know that ahoffmann. You can see that I have warned GopichandGadde about Security Alert too. It is the second comment in this thread.

If you propperly create your certificate and install also CA certificate in browser you won't get Security Alert.
agreed, you're all aware of the problem ;-)
Shame on me that I didn't read carefully.
but does anyone realy want to import whatever-signed root cert? I'd not do that for obvious reason.
GopichandGaddeAuthor Commented:
Hi marko,

Ur explanation is excelent. But I am poor in this open ssl.

This is a live server 10 to 15 clients are connected thats why I am asking each and every step. Pl don't mind.

My server OS is RedHat linux 9.

According to you I have to fallow these steps ..

1. I have to install RPM's of  openssl and openssl-misc
openssl-0.9.6b-35.7.i386.rpm this RPM is available with me.
2.. -newca    ==> For new certificate
3. -newreq  ==> For Certificate request, because mine is a apache web server
 after this how can I create certificate request from webserver ..

In my server mod_ssl is installed.

Where in /etc/httpd/conf
" ssl.crt, ssl.csr, ssl.key, ssl.prm, ssl.crl "   these files are created  
I applied this command to generate these files
openssl req -newkey rsa:1024 -x509 -nodes -our cert.pem -keyout key.pem

It asked for all the details where as I provided ..

In httpd.conf .. I changed the domainname page is not displying ...

oh ...tense ...

GopichandGaddeAuthor Commented:
One more info from my server

In /etc/httpd I find two files ... key.pem & cert.pem

and in /usr/share/ssl/      this file is there   cert.pem ...
You don't create certificate request from server. -newreq creates it.

You don't have to change settings in apache configuration. Just find out where apache looks for certificate files and replace those files with newly created certificate and private key. Only If you don't want to overwrite old keys change configuration to look for those files elsewhere.
GopichandGaddeAuthor Commented:
I loged in as a root and type the command -newreq
bash: command not found ( I got this )

I have to install any RPM.

Thanks for your gr8 help Marko

Apparently you don't have CA utility. Check for openssl-misc package with "rpm -qa openssl-misc". See what openssl packages you have installed with "rpm -qa | grep openssl". List contents of installed package with "rpm -ql openssl-misc". See if or is in the list.

You can also use utilities provided with apache. Go to /etc/httpd/conf and type "make usage". You will get instructions how to make certificates for Apache.
GopichandGaddeAuthor Commented:

I have these many RPM's only installed in my server.
I can install the RPM of openssl-misc. I downloaded openssl-misc-0.9.6-1.i386.rpm

Can I install this RPM tryout with your commands ..!!!

Install rpm with "rpm -i openssl-misc-0.9.6-1.i386.rpm" or "rpm -Uvh openssl-misc-0.9.6-1.i386.rpm".
GopichandGaddeAuthor Commented:
Installed RPM ==> rpm -i openssl-misc-0.9.6-1.i386.rpm

# -newca
asking for CA file name .. provided ==> -newrq

Asked for all the details this Common Name ==> ( provided )

After this got this below message..
Please enter the following 'extra' attributes to be sent with your certificate request

entered the password .. and company name ...

For signing .. -sign

Giving error like

Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
468:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
Signed certificate is in newcert.pem

Hope the first file name I have to give some name with our .com ... pl advise me here .. It may help for me.

GopichandGaddeAuthor Commented:
Sorry .. forgot to provide one more info .. While doing this process I didn't stop any service in my server.

Http, sshd, mysql all the services are running..

At newca give some other Common Name. This is the authority that will sign the certificate for When creating CA you should also be asked to provide a password. When signing you must type in the CA password to access CAs private key which is used to sign the certificate request.

When you will be able to finish the whole procedure without errors. Place certificate and key files for apache to use and then restart apache.

Next time you will not need to create CA. Just create certificate request and sign it with CAs private key.
GopichandGaddeAuthor Commented:
Now first two stpes are exicuted fine.

When I tryed -sign  getting this error.

Using configuration from /usr/share/ssl/openssl.cnf
unable to load CA private key
503:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: ANY PRIVATE KEY
Signed certificate is in newcert.pem

What is the problem ??
I told you. When signing certificate you must access CAs private key. You obviously didn't properly made CA or didn't write in the right password to access CAs private key.
Dennis MaederCommented:
If you're still frustrated, here's my script to build self signed certs for a default linux apache 2.0 rpm setup.
This does not use the perl method, but instead the apache supplied makefile.

cd /etc/httpd/conf

# create key
make server.key

# create certificate request
make server.csr

# create self signed certificate
# make server.crt
# or for lifetime cert (9999 days is nearly 30 years)
/usr/bin/openssl req -new -key server.key -x509 -days 9999 -out server.crt

# disable passphrase on key
openssl rsa -in server.key -out server.key

# copy or move certs to directories referenced in /etc/httpd/conf.d/ssl.conf
cp server.key ssl.key
cp server.csr ssl.csr
cp server.crt ssl.crt

# give ownership to apache
chown -R apache ssl*

# verify processes are running
apachectl graceful
ps -fuapache

# check client response - open https://server... in browser
As a note, apache-ssl package for debian and possible other OS's has a script for doing this in a fairly straightforward manner as well.

On appropriate systems, check out:

creating selfsingned certificate
replace it with one signed by a certification authority (CA)

enter your ServerName at the Common Name prompt

If you want your certificate to expire after x days call this programm
with -days x
Using configuration from /usr/share/apache-ssl/ssleay.cnf
Generating a 1024 bit RSA private key
writing new private key to '/etc/apache-ssl/apache.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company; recommended) []:
Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:
Email Address []:

Easy enough for most... don't forget to restart apache-ssl afterwards :-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.