≡ Menu

How To Generate SSL Key, CSR and Self Signed Certificate For Apache

Apache mod_ssl certificateIf you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.

In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.

  • Instead of server.key, I use www.thegeekstuff.com.key
  • Instead of server.csr, I use www.thegeekstuff.com.csr
  • Instead of server.crt, I use www.thegeekstuff.com.crt

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out www.thegeekstuff.com.key 1024
Generating RSA private key, 1024 bit long modulus
e is 73547 (0x01001)
Enter pass phrase for www.thegeekstuff.com.key:
Verifying - Enter pass phrase for www.thegeekstuff.com.key:

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key

The generated private key looks like the following.

# cat www.thegeekstuff.com.key
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E


2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr
Enter pass phrase for www.thegeekstuff.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:The Geek Stuff
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: thegeekstuff
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in www.thegeekstuff.com.csr -signkey www.thegeekstuff.com.key -out www.thegeekstuff.com.crt
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/CN=www.thegeekstuff.com
Getting Private key
Enter pass phrase for www.thegeekstuff.com.key:

# ls -l www.thegeekstuff*
-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key
-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr
-rw-r--r-- 1 root root   879 Jun 13 20:43 www.thegeekstuff.com.crt

# cat www.thegeekstuff.com.crt

You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.

4. Get a Valid Trial SSL Certificate (Optional)

Instead of signing it youself, you can also generate a valid trial SSL certificate from thawte. i.e Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte. Once this valid certificate works, you can either decide to purchase it from Thawte or any other SSL signing organization.

This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.

Go to Thwate trial certificate request page and do the following:

  • Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
  • Do not check the PKCS #7 check-box under the “configure certificate”
  • Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
  • Click on next at the bottom, which will give you a 21-day free trial certificate.

Copy/Paste the trial certificate to the www.thegeekstuff.com.crt file as shown below.

# cat www.thegeekstuff.com.crt

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 18 comments… add one }

  • aldo July 8, 2009, 9:18 am

    Get a Valid free SSL Certificate with CAcert

  • thanhdat July 8, 2009, 9:31 am

    Great post, Just a litte comment: I think we should enable mod_ssl for apache using “a2enmod ssl” and if you have time, please show us how to apply the cert to a website. Thanxxxxxx

  • Vimal July 8, 2009, 10:20 am

    Well written and easy to understand. I had been though this before and always found it confusing at some point or other.

  • Zeke Krahlin July 8, 2009, 11:04 am

    Thanks for the SSL tips…however, in this article you emailed to subscribers, is also included a Google advertisement at the end, called “Do Not Buy SSL”. So I went to the linked page and sho nuff: I can get top notch SSL service absolutely free, from Comodo. If it weren’t for that little ad (and if it weren’t for my subscription to your list) I would have assumed by your article, that you must always pay for SSL.

  • Ramesh Natarajan July 8, 2009, 6:49 pm

    @Aldo, Thanks for bringing CACert.org to our attention.

    @thanhdat, Thanks for the mention of the a2enmod ssl. I believe all the a2* commands (a2ensite, a2dissite, a2enmod, a2dismod) are for distros based on Debian? Is that correct?

    @Vimal, Thanks for your feedback. I appreciate it.

    @Zeke, I’m glad it worked out for you. Like Aldo mentioned you can get free certificate from CACert.org also.

  • Orlin July 13, 2009, 2:20 am

    Hi good one,

    any info how I can make Self Signed certificate for multi domain.
    Because I have couple of web sites hosted on my server and I want to use this certificate for all of them I have found some how-toes but all of the are not working or incomplete or theya re talking about totaly different aproaches like to add in /etc/ssl/openssl.cfg:

    0.commonName ….
    and then

    or the other thing is to add alter names
    any ideas?


  • Ramesh Natarajan July 14, 2009, 9:56 pm

    @Orlin, Regarding your question: How to create a self-signed SSL certificates for multiple domains?

    When you say multi-domain, are you talking about a wildcard certificates for subdomains? i.e Same SSL certificate for dev.mydomain.com, test.mydomain.com, prod.mydomain.com? If yes, while creating the certificate using openssl, use *.mydomain.com for the common name to create a certificate for multiple sub-domains.

  • Joe Doe March 9, 2010, 12:59 am

    “use *.mydomain.com for the common name to create a certificate for multiple sub-domains”

    Does this then also applies for https://mydomain.xyz – without any subdomain?

  • Vimuth March 11, 2010, 12:11 pm

    Thank you loads for the great post. Can you please advice me as to how I should use go about using the same certificate on 2 apache servers(fail over) For an instance say my primary httpd server is box1.mynet.jazz and the second one is box2.mynet.jazz. I want to use the same certificate on the box2. Am I suppose to copy the .key and the .crt files from primary(box1) on to the same location or should I generate the certificate with a different approach. I look forward to bring this concept on to my production environment so please try to advice. Much appreciated if the steps are mentioned clearly.

  • Vimuth March 15, 2010, 3:22 am

    Im still counting on your reply Mr Ramesh! Thanks

  • Kunnu Singh July 3, 2010, 1:20 am

    any site that can generate CSR Certificate online?

    sorry for bad eng..

  • Chris June 13, 2011, 11:39 am

    Is it possible to create a single CSR for multiple domains i.e., mydomain.com, mydomain.net, mydomain.org, etc… ??

  • Ramon Long July 30, 2012, 8:23 am


    CACert is great. The only “problem” is the oligarchy of commercial CAs, and the lack of inclusion of CACert’s root certificate in commercial OSes and most/all web browsers. This means I have no problem using CACert for internal services, but, it is easier to use self-signed certificate from my organizations internal CA. I would still use CACert for other purposes.

    It is too much of a hassle to have non-technical users outside of my organization (i.e., anonymous site visitors) install a root certificate on their Windows and Mac desktops.

    We should push for greater traction for services like CACert and get their root certificate bundled in with at least one major browser. Wikipedia states they were working on an inclusion in Mozilla-based browsers, but that the request was withdrawn.

  • SteveM November 16, 2012, 8:13 pm

    CACert is not a trusted CA for most web-browsers. However, StartSSL provides free certificates and is a trusted CA for most browsers.

  • limi July 1, 2013, 3:34 am

    after get crt file what next step should we do? how to import it?

  • nicorellius February 4, 2014, 2:21 pm

    thanks for the great instructions… I tweaked them for 2048 and it worked like a charm 😉

  • Anantha April 1, 2014, 5:55 pm

    Is there any difference between these two modules?
    Do I need mod_ssl, as I can generates certificates using OpenSSL tool, I hope OpenSSL also does encryptions

  • Charlie August 10, 2014, 2:37 pm

    PLEASE do NOT follow the steps on this page blindly. The key size specified might have been ok in 2009, but are no longer valid after October 2013 and will result in a keyexchange that will be easily broken by determined hackers.

Leave a Comment