How To Generate SSL Key, CSR and Self Signed Certificate For Apache

If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.

In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.

  • Instead of server.key, I use
  • Instead of server.csr, I use
  • Instead of server.crt, I use

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out 1024

Generating RSA private key, 1024 bit long modulus
e is 73547 (0x01001)
Enter pass phrase for
Verifying - Enter pass phrase for

# ls -ltr www.mylinuxvps.*
-rw-r--r-- 1 root root 963 Jun 13 20:26

The generated private key looks like the following:

# cat

Proc-Type: 4,ENCRYPTED


2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below:

# openssl req -new -key -out

Enter pass phrase for
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:EU
State or Province Name (full name) [Berkshire]:Amsterdam
Locality Name (eg, city) [Newbury]:Amsterdam
Organization Name (eg, company) [My Company Ltd]:MyLinuxVPS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: MyLinuxVPS
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -ltr www.mylinuxvps.*
-rw-r--r-- 1 root root 963 Jun 13 20:26
-rw-r--r-- 1 root root 664 Jun 13 20:35

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below:

# openssl x509 -req -days 365 -in -signkey -out

Signature ok
Getting Private key
Enter pass phrase for

# ls -l www.mylinuxvps*
-rw-r--r-- 1 root root 963 Jun 13 20:26
-rw-r--r-- 1 root root 664 Jun 13 20:35
-rw-r--r-- 1 root root 879 Jun 13 20:43

# cat

You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.

4. Get a Valid Trial SSL Certificate (Optional)

Instead of signing it youself, you can also generate a valid trial SSL certificate from thawte. i.e Before spending the money on purchasing a certificate, you can also get a valid fully functional 21 day trial SSL certificates from Thawte. Once this valid certificate works, you can either decide to purchase it from Thawte or any other SSL signing organization.

This step is optional and not really required. For testing purpose, you can always use the self-signed certificate that was generated from the above step.

Go to Thwate trial certificate request page and do the following:

  • Select “SSL Web Server Certificate (All servers)” under the “select your trial certificate”.
  • Do not check the PKCS #7 check-box under the “configure certificate”
  • Copy/Paste the *.csr file that you generate above in the textbox under “certificate signing request (CSR)”
  • Click on next at the bottom, which will give you a 21-day free trial certificate.

Copy/Paste the trial certificate to the file as shown below.

# cat

Be the first to comment

Leave a Reply