# Creating a SSL certificate



## dennylin93 (Jan 1, 2009)

Right now I'm having trouble creating a SSL certificate and enabling it on Apache. I've seen a lot of tutorials, but none of them seem to work.

Wondering if anyone could provide me with instructions on how to create a SSL certificate and modify the Apache configuration file. Thanks in advance.


----------



## felix (Jan 1, 2009)

Edit /usr/local/etc/apache22/httpd.conf file:

```
#    Uncomment:
#    Include etc/apache22/extra/httpd-ssl.conf
```

Edit /usr/local/etc/apache22/extra/httpd-ssl.conf:

```
#    Uncomment and change to your domain name:
#    ServerName www.my_domain.org:443

#    Uncomment and change to your mail address:
#    ServerAdmin webmaster@my_domain.org
```

And run:

```
cd /usr/local/etc/apache22
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
chmod 0400 /usr/local/etc/apache22/server.key
chmod 0400 /usr/local/etc/apache22/server.crt

cd /usr/local/etc/apache22
cp server.key server.key.orig
openssl rsa -in server.key.orig -out server.key
```

Restart Apache...


----------



## morganw (Jan 1, 2009)

If you have trouble with the "openssl" program, look into /usr/ports/security/xca. I use it to manage all of the certificates for my WPA2 setup, and it's infinitely more useable than the basic "openssl" program.


----------



## dennylin93 (Jan 2, 2009)

Thanks for the replies. Do I need to modify openssl.cnf in order to generate the certificate?


----------



## gilinko (Jan 2, 2009)

openssl.cnf can be used to quickly add information that is requested by the above commands, BUT it's not necessary. The commands will ask you for the required information, and they are pretty easy to understand. 

When asked for "YOUR name" in these dialogs you enter the full domain name(ie http://www.example.com or subdomain.example.com), and not your name. Can be confusing, but that's pretty much the only thing that isn't pretty clear in the dialogues.


----------



## ruaoh (May 13, 2010)

I followed these steps to create my own cert.

http://www.akadia.com/services/ssh_test_certificate.html


----------



## ziomario (Oct 5, 2021)

felix said:


> Edit /usr/local/etc/apache22/httpd.conf file:
> 
> ```
> #    Uncomment:
> ...



I know that a LOT of time is passed since you wrote that,but it works even today. Just some directives should be enabled :

In the httpd.conf, need to turn on mod_ssl.so:

```
LoadModule ssl_module modules/mod_ssl.so
```

Then the next problem is to turn on mod_socache_shmcb.so:

```
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
```

otherwise the error "Can't start Apache: Invalid command 'SSLCipherSuite' will come up. Since some time passed,apache22 today became apache24


----------



## Geezer (Oct 5, 2021)

After eleven years, it may still work but there are better alternatives:






						Let's Encrypt
					

Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).



					letsencrypt.org


----------

