SUSE 12 – enable SSL and Create a Self-Signed Certificate

The SSL module is enabled by default in the global server configuration. In case it has been disabled on your host, activate it with the following command: a2enmod ssl. To finally enable SSL, the server needs to be started with the flag “SSL”. To do so, call a2enflag SSL (case-sensitive!). If you have chosen to encrypt your server certificate with a password, you should also increase the value for APACHE_TIMEOUT in /etc/sysconfig/apache2, so you have enough time to enter the passphrase when Apache starts. Restart the server to make these changes active. A reload is not sufficient.

Creating a Self-Signed Certificate on SUSE 12:

root# openssl req -new > vhostname.csr
root# openssl rsa -in privkey.pem -out vhostname.key
root# openssl x509 -in vhostname.csr -out journal.crt -req -signkey vhostname.key -days 3650

Copy the certificate files to the relevant directories, so that the Apache server can read them. Make sure that the private key /etc/apache2/ssl.key/vhostname.key is not world-readable, while the public PEM certificate /etc/apache2/ssl.crt/vhostname.crt is.

SSL – Check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR).

Check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR). If you are receiving an error that the private doesn’t match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key.

root# openssl x509 -noout -modulus -in certificate.crt | openssl md5
root# openssl rsa -noout -modulus -in privatekey.key | openssl md5
root# openssl req -noout -modulus -in csr.csr | openssl md5

For example:
root# openssl req -noout -modulus -in just4testcert_req.csr | openssl md5
(stdin)= 61c59f9a9ddddc032e56fe2e46a91409
root# openssl rsa -noout -modulus -in just4test_server.key | openssl md5
(stdin)= 61c59f9a9ddddc032e56fe2e46a91409

SSH – PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified. Useful for backups 😉 All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
Thus without-password allows root login only with public key authentication.

Generate self-signed SSL certificate in one line

If you need a quick self-signed certificate, you can generate the key/certificate pair, then sign it, all with one openssl line:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt


root~#:/tmp/ssl$ openssl req -new -newkey rsa:2048 -days 365 -nodes -x5 09 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
…………………………………………………………………….. …………………………………………………………………….. …………………….+++
writing new private key to ‘server.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:IE
State or Province Name (full name) [Some-State]:Dublin
Locality Name (eg, city) []:Dublin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Internet 4network Ltd
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:
root~#:/tmp/ssl$ l
total 16
drwxr-xr-x 2 root root 4096 Jul 1 17:18 .
drwxrwxrwt 10 root root 4096 Jul 1 17:17 ..
-rw-r–r– 1 root root 1326 Jul 1 17:18 server.crt
-rw-r–r– 1 root root 1704 Jul 1 17:18 server.key

Data Synchronizer Mobility Connector and a self-signed cert.

In order to be able to use Mobility Pack with a self-signed cert (normally for testing purposes), you’ll need to follow these instructions: NOTE: You can name the .key and .cert files anything you’d like initially because you’re going to need to change it to “mobility.pem” later. Open the terminal and perform the following commands:

openssl genrsa 1024 > anything.key
chmod 400 anything.key
openssl req -new -x509 -nodes -sha1 -days 365 -key anything.key > anything.cert

Now that you’ve created the key and cert file you need to concatenate the two files into a .pem file with this command, private key first, then cert. You can also remove the .key file for security purposes in the same command.

cat anything.key anything.cert > anything.pem && rm anything.key
chmod 400 anything.pem

Once you’ve created the .pem file you need to rename it to “mobility.pem” and then replace it with the mobility.pem file in /var/lib/datasync/device.
WinMobile devices require a .cer certificate file (as opposted to .pem). You’ll need to create a copy of the .pem file and convert it to .cer:

openssl x509 -in mobility.pem -inform PEM -out mobility.der -outform DER

rename the mobility.der to mobility.cer and move it in the /var/lib/datasync/device directory.
Restart the connectors and resync with your device, now you shouldn’t have cert issues with your device while trying to connect with your self-signed cert.

Creating a new SSL certificates.

Creating a new SSL certificates:
1. If it is missing, you will have to create a new one key.
root# openssl genrsa -out filename.key 1024

2. Create a CSR
root# openssl req -new -key filename.key -out filename.csr

3. Remove pass-phrase from a keyIf you don’t have pass-phrase don’t do it.
One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp filename.key
openssl rsa -in -out filename.key

4. Generating the certificate/Self-Signed certificate
root# openssl x509 -req -days 730 -in filename.csr -signkey filename.key -out filename.crt

5. Make it into the .pem format
root# cat filename.key filename.crt > filename.pem