Obtaining a SSL certificate from a Certificate Authority (CA) for the  Apache Server

Perform the following procedure to obtain an SSL certificate from a Certificate Authority (CA) for the Apache server.

Before you begin

Before you begin this procedure, you must set the environment variable appropriate for your operating system: 

• (Microsoft Windows) OPENSSL_CONF=C:\Program Files\BMC Software\TrueSight\pw\apache\conf\openssl.cnf 
• (UNIX or Linux) LD_LIBRARY_PATH=$LD_LIBRARY_PATH: /usr/pw/apache/lib/

To obtain an SSL certificate from a Certificate Authority (CA) for the Apache server

1. Create an RSA private key for your Apache server.
   1. Access the appropriate directory for your operating system:
      • (Microsoft Windows) installationDirectory\pw\apache\bin
      • (UNIX or Linux) /usr/pw/apache/openssl/bin

   2. Enter the the command to create an RSA private key that is Triple-DES encrypted and PEM formatted that is appropriate for your operating system:
      (Microsoft Windows)

      openssl genrsa -des3 -out my-server.key 1024

      (UNIX or Linux)

      openssl genrsa -des3 -out server.key 1024

   3. Back up the key file that you just created. You can see the details of this RSA private key by entering the command appropriate for your operating system: 

      openssl rsa -noout -text -in my-server.key 

      (UNIX or Linux)

      openssl rsa -noout -text -in server.key 

   4. Run the following command to remove the passphrase from the key: 

      #(Microsoft Windows)

      openssl rsa -in my-server.key -out my-server.key

      #(UNIX or Linux)

      openssl rsa -in server.key -out server.key
      

2. Create a Certificate Signing Request (CSR) with the server RSA private key.
   1. Access the appropriate directory for your operating system:
      
      • (Microsoft Windows) installationDirectory\pw\Apache\conf
      • (UNIX or Linux): /usr/pw/apache/openssl/ssl/conf
   2. Copy the files as appropriate for your operating system:
      • (Microsoft Windows) Copy the installationDirectory\pw\Apache\conf\openssl.cnf file into the installationDirectory\pw\Apache\bin directory. 
      • (UNIX or Linux) Copy the /usr/pw/apache/openssl/ssl/conf/openssl.cnf file into the /usr/pw/apache/openssl/bin directory.
   3. Access the appropriate directory for your operating system:
      • (Microsoft Windows) installationDirectory\pw\Apache\bin
      • (UNIX or Linux) /usr/pw/apache/openssl/bin

   4. Enter the command to create a CSR that is PEM formatted that is appropriate for your operating system:
      (Microsoft Windows)

      openssl req -new -key my-server.key -out my-server.csr -config ./openssl.cnf

      (UNIX or Linux)

      openssl req -new -key server.key -out server.csr -config ./openssl.cnf
3. Send the Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing using one of the following methods:
   • Have the CSR be signed by a commercial CA like Verisign or Thawte. This process usually requires you to post the CSR into a web form, pay for the signing, and await the signed certificate that you can then store in a my-server.crt (Microsoft Windows) file or a server.crt (UNIX or Linux) file. For more information about commercial CAs see:
     • Verisign: http://digitalid.verisign.com/server
     • Thawte Consulting: http://www.thawte.com/certs/server/request.html
     • CertiSign Certificadora Digital Ltd: http://www.certisign.com.br
     • IKS GmbH: http://www.iks-jena.de/produkte/ca/
     • Uptime Commerce Ltd: http://www.uptimecommerce.com
     • BelSign NV/SA: http://www.belsign.be
   • Use your own CA and get the CSR signed by this CA.
     The result is then a real certificate that can be used for Apache.
4. Replace the dummy key and certificate files with the real key and certificate files that you have created by following these steps:
   • Access the appropriate directory for your operating system:
     • (Microsoft Windows) installationDirectory\pw\Apache\conf
     • (UNIX) or (Linux) /usr/pw/apache/conf
   • Replace the key file appropriate for your operating system with the RSA private key file that you created in Step Obtaining a SSL certificate from a Certificate Authority (CA) for the Apache Server#1:
     
     • (Microsoft Windows) Replace my-server.key in the installationDirectory\pw\Apache\conf directory.
     • (UNIX or Linux) Replace the server.key file in the /usr/pw/apache/conf directory.
   • Replace the certificate file appropriate for your operating system with the RSA private certificate my-server.crt file that you created in Step 2:
     • (Microsoft Windows) Replace the my-server.cert file in the installationDirectory\pw\Apache\conf directory.
     • (UNIX or Linux) Replace the server.crt file in the /usr/pw/apache/conf directory.