First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.

  $ mkdir -m 0700 ~/ssl
  $ cd ~/ssl
  $ openssl genrsa -out key 2048

The following command will generate a standard X.509 Certificate Signing Request ("CSR") which can be submitted to a certification authority (unless you want a self-signed certificate). The protocol requires that the Common Name ("CN") match exactly your account's "main domain name" (configurable from the Parameters section of the web interface).

  $ openssl req -new -key key -out csr
  Using configuration from /etc/ssl/openssl.cnf
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) AU: US
  State or Province Name (full name) Some-State: Georgia
  Organization Name (eg, company) Internet Widgits Pty Ltd: Pinhead Enterprizes
  Organizational Unit Name (eg, section) : electro-shock ward
  Common Name (eg, YOUR name) : pinhead.com
  Email Address : zapped@pinhead.com
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password : (enter)
  An optional company name :(enter)

At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte. Alternatively you may sign the certificate yourself with the following command -

  $ openssl x509 -req -days 365 -in csr -signkey key -out cert

The -days argument refers to the validity period. In this example, the certificate would expire one year from now.

It will take up to 30 minutes for the new certificate to be included in the web server configuration. If there is a problem with the SSL certificate, an error message will show up in /var/log/users/yourname and the file cert will be renamed to cert.rej.

Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You may run these checks manually using the following commands:

  # For RSA keys:
  $ openssl rsa -in key
  
  # For DSA keys:
  $ openssl dsa -in key
  
  # Use -passin for keys with passphrases:
  $ openssl dsa -in key -passin file:pp
  
  # To read a X.509 certificate fingerprint:
  $ openssl x509 -in cert -fingerprint

The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is the most common cause of failure.

  # To read a X.509 certificate subject:
  $ openssl x509 -in cert -subject

For the more adventurous, here is a little script that will read off lots of data, like above, on both a cert and a key.

• ssl(8) - Details for libssl and libcrypto
• openssl(1) - Command line tool
• mod_ssl - The Apache Interface to OpenSSL
• OpenSSL - SSL v2/v3 and TLS v1 toolkit
• Ten Risks of PKI - What You're Not Being Told About Public Key Infrastructure