Create Root CA (self-signed):
Let's have a look at the options in detail:
- x509 identifies that a certificate is required, rather than just a certificate request (see below).
- days 30000 sets the certificate to expire in a 30000 days. You may want to extend this period. Make a note of the expiry date so that you can renew it when necessary!
- sha1 specifies that SHA1 encryption should be used.
rsa:2048 sets the key as 2048 bit RSA.
- nodes specifies no passphrase.
- keyout and -out specify where to store the certificate and key. The key should be root-readable only; the certificate can be world-readable, and must be readable by the user that Apache runs as.
- subj flag sets the company name, department name, and the web site address. If you leave these out, you'll be prompted for them. The CN must be the same as the address of your web site, otherwise the certificate won't match and users will receive a warning when connecting. Make sure you don't use a challenge password.
Create it :
sudo openssl req -x509 -nodes -newkey rsa:2048 -sha1 -keyout rootkey.key -out rootca.crt -passin pass:root -days 30000 -subj "/C=DU/ST=Dubai/L=TownCenter/O=AmesCom/CN=AmesCom Int" -config openssl.cnf.my
Encrypt the key manually :
key is not encrypted because of -nodes option , so we encrypt it manually :
sudo cp rootkey.key rootkey.key.org
sudo openssl rsa -in rootkey.key.org -out rootkey.key
Test it :
for testing immediately , you may follow two ways :
openssl x509 -text -noout -in rootca.crt
or examine its contents on browser :
cp rootca.crt /var/www/html/
from browser ask for address :
http://yourserverdomain/rootca.crt
Now you can create certificate requests and sign them with this self-signed certificate
sometimes u need to add a SSLCertificateChainFile option in your apache2.conf.
For example, we use SureServer for our SSL certificates. Sometimes browsers to not contain the full tree for the SSL certificate andu need to supply the missing piece:
SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile /etc/apache2/sureserverEDU.pem
So u probably need to add your 3rd party CA there.
If I recall correctly rapidSSL has a chain file (RapidSSL_CA_bundle.pem)
Best Answer
SNI-Hole
You've fallen into a SNI hole.
SNI is server name indication. This allows you have multiple different hostnames living on the same shared IP. And if you don't actually indicate a servername to a SNI enabled server, then you get back the default certificate. (This is the "SNI hole" part.)
And OpenSSL will not supply a servername to the TLS server unless you tell it to. Use the
-servername
parameter for that.If you leave that out, then you get the default certificate for that host. And here that is a self-signed certificate. (And I don't think it should be there either. Makes no sense to deliver a self-signed cert.)
Check that installation
Side note: I urge you to disable SSL3. (SSL Labs report here.)