Installing your SSL Server Certificate

Installing your SSL Server Certificate –  Red Hat Linux Apache/SSL Server

Follow the below instructions to generate a CSR for your website. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.

To Generate a Triple-DES Encrypted Key Pair and a Certificate Signing Request (CSR)

In a command prompt, enter the following, pressing Enter after each line:

  1. cd /usr/bin/ (/your path to openssl/)Enter a passphrase when prompted to.
  2. openssl genrsa -des3 -out <name of your certificate>.key 2048
  3. openssl req -new -key <name of your certificate>.key -out <name of your certificate>.csr

NOTE: If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., “*” or “www*”). This will secure all subdomains of the Common Name.

Step two: Copy your certificate to file

You will receive an email from the Registration Authority when your certificate request has been approved that contains a link to a location where your certificate may be obtained.  Clicking on this link will bring up a browser window that contains the details of your issued certificate and includes a section that looks something like the following:


Copy everything you see between and including the lines that look like

and paste it into an appropriately named text file e.g. server.crt

Copy this certificate file into the directory that you will be using to hold your certificates.

e.g.  /etc/httpd/conf/ssl.crt/

In this example we will use:

  • /etc/httpd/conf/ssl.crt/   as the location where certificates will be stored
  • /etc/httpd/conf/ssl.key/   as the location where the server’s private key is stored.
  • /etc/httpd/conf/ca-bundle/   as the location where the CA bundle file will be stored

It is recommended that you make the directory that contains the private key file only readable by root.

Step three: Install the CA Certificates

You will need to install the CA certificates in order for your webserver to use your SSL certificate properly.  Apache users do not neded to install these certificates individually.  Instead you can install the CA certificates using a ‘bundle’ method.

In the Virtual Host settings for your site, in the httpd.conf file, you will need to complete the following:

  1. Copy the PEM format Bundled CA certificate file (full CA chain) to the directory in which ca-bundled files are stored e.g.   /etc/httpd/conf/ssl.crt/
  2. Add the following line to the SSL section of the httpd.conf (assuming /etc/httpd/conf/ssl.crt/ is the directory to where you have copied the CA Bundle file). if the line already exists amend it to read the following:

SSLCACertificateFile /etc/httpd/conf/ssl.crt/cachainpem.txt

If you are using a different location and certificate file names you will need to change the path and filename to reflect your server.

The SSL section of the updated httpd config file should now read something similar to this example (depending on your naming and directories used):

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

SSLCACertificateFile /etc/httpd/conf/ssl.crt/cachainpem.txt

Save your httpd.conf file and restart Apache.

Refer the link below to set up csr in Various Panels


Verifying that a Private Key Matches a Certificate

How to verify that a private key goes with a certificate

Note: It should be noted that this is not a UW-Madison Help Desk or DoIT Middleware supported procedure, and, naturally, we can’t take responsibility for any damage you do while following or attempting to follow these procedures. Be sure you understand what you are doing.

(Shamelessly stolen from (and expanding upon) The Apache SSL FAQ)

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The `modulus’ and the `public exponent’ portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it’s bothering comparing long modulus you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. As a one-liner:

$ openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
  openssl rsa -noout -modulus -in server.key | openssl md5

And with auto-magic comparison (If more than one hash is displayed, they don’t match):

$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

BTW, if I want to check to which key or certificate a particular CSR belongs you can compute

$ openssl req -noout -modulus -in server.csr | openssl md5

Published in: on November 11, 2010 at 2:35 pm  Comments Off on Installing your SSL Server Certificate  
%d bloggers like this: