Create keys required by EPP over SSL. (This is somewhat based on http://sandbox.rulemaker.net/ngps/m2/howto.ca.html.) Create a directory (here named it ssl) and enter it. cd ssl cp /usr/lib/ssl/misc/CA.pl ./ If you'd like to change default periods of validity of certificates, edit CA.pl and change $DAYS and $CADAYS vars (note that $CADAYS > $DAYS). (Also change /etc/ssl/openssl.cnf default_days to match $DAYS.) Create new CA: ./CA.pl -newca and answer a series of questions. After completing without any errors you should see demoCA directory. Then run the following script in the directory with one argument being the common name for key and certificate files (say in ssl run ./createandsigncerts.sh name): ## #!/bin/bash ./CA.pl -newreq && \ ./CA.pl -sign && \ openssl rsa newkey.unenc.pem && \ export TEMP=`openssl x509 -noout -fingerprint -md5 -in newcert.pem` && \ echo ${TEMP#"MD5 Fingerprint="} >cert.${1}.md5 && \ for i in new* ; do mv "${i}" "${i%.pem}.${1}.pem" ; done && \ for i in new* ; do mv "${i}" "${i#new}" ; done ## It will create 5 files: cert.name.md5 - MD5 of the certificate, this needs to be stored in registraracl cert.name.pem - the certificate key.name.pem - the private key in encrypted version key.unenc.name.pem - the private key in unencrypted version req.name.pem - the certificate request Now you can copy cert.name.pem, and key.unenc.name.pem to a location, where they'll be used by Apache for signing SSL (the location is written in /usr/share/fred-mod-eppd/02-fred-mod-eppd-apache.conf). Don't forget to copy demoCA/cacert.pem. You can change the location in Apache httpd configuration as well, it's up to you. In the end, the files must much the configuration and be readable by Apache httpd. An example: sudo cp demoCA/cacert.pem /usr/share/fred-mod-eppd/ssl/ sudo cp cert.name.pem /usr/share/fred-mod-eppd/ssl/cert.fred.pem sudo cp key.unenc.name.pem /usr/share/fred-mod-eppd/ssl/key.unenc.fred.pem For each registrar that has to connect to FRED via EPP you need to add password and MD5 checksum of the SSL public key. (For creating SSL keys for a registrar you can use the script mentioned above, e.g. ./createandsigncerts.sh registrar. Then you can simply use cert.registrar.md5.) fred-admin --registrar_acl_add --handle='HANDLE' --certificate='BA:D1:C0:FF:EE' --password='p@ssw0rd' Most probably you need to adjust fred-client configuration which can be found in /etc/fred/fred-client.conf by default. You should pay attention to SSL and password. Generate and use key and certificate as described above. Don't forget that you need to have the same CA. If you run ./createandsigncerts.sh registrar you should use key.unenc.registrar.pem and cert.registrar.pem.