BLOGS@DiGiTSS

DiGiTSS Team's Programming experience with PHP, MySQL, Ajax, Javascript, jQuery, C# and Microsoft technologies

Archive for category OpenSSL

Generating 2048-bit CSR with OpenSSL

Dec 6

Posted by Dharmavirsinh Jhala in OpenSSL | No Comments

As computer processing power is increasing everyday, so breaking 1024-bit private key algorithms will be possible by 2011. So we will need to generate minimum 2048-bit RSA Private Keys for new SSL Certificates or renewals.

I have recently faced similar case while I had given older CSR which I gave last year for the renewal to GoDaddy and it didn't worked due to security reasons.

We need to simply regenerate Private Key and CSR with the help of following OpenSSL command:

 openssl req -nodes -newkey rsa:2048 -keyout new-digitss.key -out new-digitss.csr

This will generate 2048-bit key file and after that it will ask few basic information about the entity being certified. Private Key file generated with above command won't have secret pass-phrase so it won't be a problem deploying them on Windows based Apache server setups or either on Linux platforms. But if you really want to have pass-phrase then please refer to a previous post and replace it with 2048 or 4096 instead of 1024 which is being used in commands or just remove the "-nodes" from the above command which will ask for a pass-phrase.

Removing the "-nodes" option from the above mentioned openssl command will ask for a pass-phrase and encrypt the private key. This can increase security, but please note that the pass-phrase will be required each time Apache is started. In that case you need to get a un-secure private key for your Windows based Apache setup. It is as simple as writing following line of command on OpenSSL.

 rsa -in digitss.key -out unsecured.digitss.key

Above OpenSSL command will give unsecured private key which will have pass-phrase removed and so can be used with Windows based Apache setups.

More References:

For more detailed information on CSR generation please refer following post: (Just use 2048 or 4096 instead of 1024 to make it work)
http://blogs.digitss.com/apache/how-to-generate-certificate-signing-request-csr-file-with-apache-openssl/

See GoDaddy Help for detailed reason on: Why does my CSR need to be 2048 bit length?

CSR Generation Instructions for Rest of the Web-Servers: Certificate Signing Request (CSR) Generation Instructions

Tags: , ,

RSA server certificate CommonName (CN) does NOT match server name!?

Jun 13

Posted by Dharmavirsinh Jhala in OpenSSL | No Comments

Problem installing SSL certificate: SSL Library Error: 185073780 error:0B080074:x509 certificate

While configuring SSL for one of my Client I got this error and it took me little while to figure it out that what went wrong with the configuration. Initially I thought that there must be something wrong with the generated certificate as I have generated CSR myself and given it to client and client gave back me Certificate files.

But I was wrong as I was using LogMeIn to connect to the client's Windows 2003 Web-Server and using remote clipboard (Copy+Paste). Something went wrong while pasting that file on the remote Web server. So I transferred files directly and then it worked well without any problem.

[Mon Jun 01 03:22:49 2009] [warn] RSA server certificate CommonName (CN) `portal.client.com' does NOT match server name!?
[Mon Jun 01 03:22:49 2009] [error] Unable to configure RSA server private key
[Mon Jun 01 03:22:49 2009] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Reference URL that helped me find the answer is below:

http://www.howtoforge.com/forums/showthread.php?t=22493

Tags: ,

How to generate Certificate Signing Request (CSR) file with Apache OpenSSL

Apr 13

Posted by Dharmavirsinh Jhala in Apache, OpenSSL | 9 Comments

When it comes to use SSL over apache, OpenSSL is there for us to do everything we want. XAMPP and WAMP both comes with OpenSSL compiled version of Apache, so it becomes quite handy to use it. But how to get SSL certificate for your website?For getting SSL certificate you need to ask your hosting company if you are running on shared server and don't have access to apache installation directory and config files. Most of the hosting companies will do this for you with some amount of fee. Fee/cost depends on the kind of certificate you are requesting and for the period of time. For example www.domain.com certificates will be quite cheaper then *.domain.com.

Now if you are running and managing your own webserver and you have to get certificate(s) for your company/client or your own website then first requirement is to generate "Certificate Signing Request" - CSR file, which you need to send to Certificate Authority to sign and give back to you as CRT file. This tutorial is not meant for Apache expert but for those who have not much experience SSL and Apache stuff.

Generation of CSR files with Apache on OpenSSL is quite simple and it is matter of typing few commands and we are done. You need to follow similar commands on OpenSSL prompt whether you are running Apache over Windows or Linux. Here is the routine which we need to follow to get our .CSR file ready.

If you have your Apache setup ready with OpenSSL then goto BIN directory under your Apache's installation directory. If you are on Windows machine then it could be under D:\Program Files\Apache\bin and if it is Linux you know better where to find it. Open Command Prompt and goto Apache's BIN directory and then type "openssl" over there. You will get OpenSSL prompt immediately. You may need not to goto Apache/Bin directory if that path is set in your system variables, you can just type openssl and you will get the prompt like below. Read the rest of this entry »

Tags: , , , ,