I spend some time to find the good way to create own SSL certificate for my apache server running on Raspberry PI. There is a lot of information on the internet for one or tow points bellow, but no one it telling own to make all these requierement working all gether.
This was my needs :
- ssl encription between server (PI) and client
- No warning from browser saying that server certificate is not approved
- Authentification with :
- client certificate
- or :
- Basis authentification with user/password
- Totaly free $$$
The last requierement “totaly free” requiere concession, this means that you will not pay a Certificate autority to have your certificate signed, but the contrepart is you will have to manualy add in your browser(s) the certificate authority you have created. But this is not a big deal… Main references used are :
(the step bellow assume you already have your rasberry PI running with apache see here to see how to install apache first).
Ready ? So let’s go !!
Step 1 : Create your own certificate authority
Log on raspberry as root and create the directory :
mkdir /etc/apache2/cert cd /etc/apache2/cert openssl genrsa -des3 -out ca.key 2048 -sha512 openssl req -new -key ./ca.key -out ./ca.csr openssl x509 -req -days 3650 -in ./ca.csr -out ./ca.crt -signkey ./ca.key -sha512 openssl x509 -in ca.crt -text openssl rsa -in ca.key -pubout -out ca.public.key
3650 is representing the validity of your certificate, here it is 10 years, but you can change this value as you want.
You will be promted for several information like passphrase. For test porpose I advise to put always the same. Keep it somewhere, it will be necessary in nexts steps.
For the “Common Name” you can put someting like “My Private SSL Auth.” or whatever you want. For informaiton this will be display at login.
Step 2 : Create server certificate
openssl genrsa -des3 -out server.key 2048 openssl req -new -key ./server.key -out server.csr -sha512 openssl x509 -req -in ./server.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./server.crt -days 3650 -sha512 openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "Server certificate" openssl pkcs12 -info -in server.p12 openssl rsa -in server.key -pubout -out server.public.key openssl rsa -in server.key -out server.nopassphrase.key
For the “Common Name” you have to put the url used to acess your server
- ex with local adresses : localhost, pi, raspberry
- ex if you access the server from the internet : myprivatepi.mydomain.net or something else
This is the critical point as the certificate trust will be based on this information.
Step 3 : Create client certificate
If you want to ensure the connection with a trrusted client certificate you can create client certificate and the send this certificate to user (for ex you) to access the server.
openssl genrsa -des3 -out client.key 2048 openssl req -new -key ./client.key -out client.csr -sha512 openssl x509 -req -in ./client.csr -CA ./ca.crt -CAkey ./ca.key -CAcreateserial -out ./client.crt -days 3650 -sha512 openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "Client certificate" openssl pkcs12 -info -in client.p12 openssl rsa -in client.key -pubout -out client.public.key
Here for the “Common Name” you can put user name like admin, Toto or your own name…
If you need to create several client certificates just change the name and replace “client” by “client1” or better by the name of the user for which this cert if for like “admin”
Next step : Configure apache server for SSL