I spend some time to find the good way to create own SSL certificate for my apache server running on Raspberry PI. There is a lot of information on the internet for one or tow points bellow, but no one it telling own to make all these requierement working all gether.

This was my needs :

• ssl encription between server (PI) and client
• No warning from browser saying that server certificate is not approved
• Authentification with :
  • client certificate
  • or :
  • Basis authentification with user/password
• Totaly free $$$

The last requierement “totaly free” requiere concession, this means that you will not pay a Certificate autority to have your certificate signed, but the contrepart is you will have to manualy add in your browser(s) the certificate authority you have created. But this is not a big deal… Main references used are :

• How to generate ssl SHA 2 key
• Strong auth between apache and Tomcat
• httpd.apache.org
• magdiblog.fr

(the step bellow assume you already have your rasberry PI running with apache see here to see how to install apache first).

Ready ? So let’s go !!

Step 1 : Create your own certificate authority 

Log on raspberry as root and create the directory :

mkdir /etc/apache2/cert
cd /etc/apache2/cert

openssl genrsa -des3 -out ca.key 2048 -sha512 
openssl req -new -key ./ca.key -out ./ca.csr
openssl x509 -req -days 3650 -in ./ca.csr -out ./ca.crt -signkey ./ca.key -sha512
openssl x509 -in ca.crt -text
openssl rsa -in ca.key -pubout -out ca.public.key

3650 is representing the validity of your certificate, here it is 10 years, but you can change this value as you want.

You will be promted for several information like passphrase. For test porpose I advise to put always the same. Keep it somewhere, it will be necessary in nexts  steps.

For the “Common Name”  you can put someting like “My Private SSL Auth.” or whatever you want. For informaiton this will be display at login.

Step 2 : Create server certificate 

openssl genrsa -des3 -out server.key 2048
openssl req  -new -key ./server.key -out server.csr -sha512
openssl x509 -req  -in ./server.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./server.crt -days 3650 -sha512
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "Server certificate"
openssl pkcs12 -info -in server.p12
openssl rsa -in server.key -pubout -out server.public.key
openssl rsa -in server.key -out server.nopassphrase.key

For the “Common Name”  you have to put the url used to acess your server

• ex with local adresses : localhost, pi, raspberry
• ex if you access the server from the internet : myprivatepi.mydomain.net or something else

This is the critical point as the certificate trust will be based on this information.

Step 3 : Create client certificate 

If you want to ensure the connection with a trrusted client certificate you can create client certificate and the send this certificate to user (for ex you) to access the server.

openssl genrsa -des3 -out client.key 2048
openssl req -new -key ./client.key -out client.csr  -sha512
openssl x509 -req -in ./client.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./client.crt -days 3650  -sha512
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "Client certificate"
openssl pkcs12 -info -in client.p12
openssl rsa -in client.key -pubout -out client.public.key

Here for the “Common Name”  you can put user name like admin, Toto or your own name…

If you need to create several client certificates just change the name and replace “client” by “client1” or better by the name of the user for which this cert if for like “admin”

Next step : Configure apache server for SSL