Creating a Self Signed Certificate
|Applies to:||Hornbill Core Services Version 3.1.4|
The self-signed certificate provided by hornbill should be used as a temporary solution until a valid certified certificate is provided (usually for external sites). For internal use only it is possible to generate a self-signed certificate for use on the apache server provided within core services. A new Certificate may be required to contain details more relevant to a site, or due to a Certificate expiring.
Core Services ships with the "openssl" tool used by Apache to implement secure communications using the SSL or TLS protocols, and provides a mechanism for generating Private keys and managing Certificates.
The tool can generate self-signed certificates for use within the Apache configuration, as detailed in the steps below:
Generating a Private Key
An RSA private key is generated and can be 1024-bit or 2048-bit, we would recommend 2048-bit be used. The tool is located <core-services-install>\Swhttpserver\bin\openssl.exe
- Open the command prompt and enter the following:
- cd \<core-services-install>\Swhttpserver\bin\
- openssl genrsa -des3 -out serverwp.key 2048
- When prompted, enter a passphrase and make a note of it.
- The file server.key will of been generated in the current path
Generate a Certificate Signing Request (CSR)
A CSR can be used to send off to a Certificate Authority such as Verisign to verify the identity of the requestor and issue a signed certificate; alternatively, generate a self-signed certificate. Some details will be requested to populate the X.509 attributes of the certificate. The following uses SHA-2 when generating the certificate (recommended)
- Enter the following at the command prompt:
- openssl req -new -key serverwp.key -sha256 -out server.csr
- When prompted, enter the appropriate details to the X.509 attributes.
- The following is an example:
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Middlesex
Locality Name (eg, city) :Ruislip
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hornbill Technologies Ltd
Organizational Unit Name (eg, section) :Development
Common Name (e.g. server FQDN or YOUR name) :supportworks.hornbill.qa
Email Address:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password :
An optional company name :'
- The file server.csr created in the current file path, and the CSR can now be used to send to a CA. Alternatively, the CRS can be used to generate a Self-Signed certificate as detailed below:
Generating a Self-Signed Certificate
- Enter the following command generates a certificate that is valid for 365 days; modify the number of days as required:
- openssl x509 -req -days 365 -in server.csr -signkey serverwp.key -sha256 -out hslcsdef.crt
- When prompted enter the passphrase as noted earlier
- The file server.crt is generated in the current path and should be stored securely.
Removing the Private Key password
When the key is applied, the Apache server will require the password (passphrase) to be entered manually each time the server starts. This will be an issue when running Apache as a service as it is not possible to provide the password at startup. To resolve this the password can be removed using the following command. If the generated key is to be used by software such as the Apache Server, it is required to enter the password (passphrase) each time the server starts. There is no mechanism in place to enter the password when Apache is running as a service therefore it is not possible to provide the password at startup.
- The following command removes the password from the key:
- openssl rsa -in serverwp.key -out hslcsdef.key
- The file hslcsdef.key will of been generated in the current path
IMPORTANT: An unencrypted private key file (hslcsdef.key) must be kept safe and stored securely if the data were to be accessed by a malicious user they can easily access the private key.
Copy both the key and certificate files to the following paths:
hslcsdef.key => <install path>\Core Services\swehttpserver\conf\ssl.key and hslcsdef.crt => <install path>\Core Services\swehttpserver\conf\ssl.crt