3.: Creating a test certificate

The following instructions are from http://www.apache-ssl.org/#FAQ.

openssl req -new -out server.csr
This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

openssl rsa -in privkey.pem -out server.key
This removes the passphrase from the private key. You MUST understand what this means; server.key should be only readable by the apache server and the administrator.
You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

If you have users with MS Internet Explorer 4.0+ and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:
openssl x509 -in server.crt -out server.der.crt -outform DER

Create an Apache/conf/ssl directory and move server.key and server.crt into it. For Linux create two directories: ssl.key and ssl.crt. Move server.crt into ssl.crt and move server.key into ssl.key.


copy server.crt and server.key to the /etc/apache-ssl/ directory then make sure they are only readable by root... then... edit httpd.conf to point the server to the CertificateFile server.crt and below that to the Key server.key

then /etc/init.d/apache-ssl restart