Installing a self signed Security Certificate
on Apache with Debian.
In this tutorial, i am assuming that you have a working apache installation on Debian lenny, and that you wish to install a self signed security certificate for the website example.com, This tutorial should also apply to Ubuntu but you may need to prefix commands with sudo.
Before we begin, you may want to execute
apt-get update
apt-get upgrade
1- Installing the web server (If not already installed)
You may want to install PHP, MySQL or other things, but that is irrelevant to our tutorial, here we only need the web server
apt-get install ....
2- Installing OpenSSL
apt-get install openssl ssl-cert
Create a directory for the keys
mkdir /etc/apache2/sslkeys
3- Creating a PRIVATE key (Give to no one)
openssl genrsa -des3 -out /etc/apache2/sslkeys/server.key 1024
You will be asked to chose a password and enter it twice, please keep this password on a paper close to you since we will need this password to decrypt this key in the following steps
Creating a CSR (Certificate Signing request) from the private key.
The file that will result from this process is either given to the signing authority, or used to sign a self signed certificate, here i will demonstrate how to create a self signed certificate.
Before you execute, keep in mind that your common name is yourwebsite.com, entering anything else when asked for a common name will create a certificate with the wrong domain name !
openssl req -new -key /etc/apache2/sslkeys/server.key -out /etc/apache2/sslkeys/server.csr
As soon as you execute the above, you will be asked for the password you chose on the previous step
You will also be asked for information about the website's geographic location and other information, it is very important that when asked for a common name, you enter your website's domain name such as mywebsite.com.
You will also be asked to chose a challenge password, Please chose a password and enter it twice, also take note of it, the challenge password needs not be the same as the password chosen for the private key.
Removing the pass key from the Private key
This will allow apache to start or restart without needing a human to enter the password, on the down side, this means that if the Private key file is stolen, someone can fake the secure connection.
Make a backup of the encrypted key
cp /etc/apache2/sslkeys/server.key /etc/apache2/sslkeys/server.key.enc
Decrypt the key into a file
openssl rsa -in /etc/apache2/sslkeys/server.key.enc -out /etc/apache2/sslkeys/server.key
Signing the certificate (Generating a public key)
openssl x509 -req -days 365 -in /etc/apache2/sslkeys/server.csr -signkey /etc/apache2/sslkeys/server.key -out /etc/apache2/sslkeys/server.crt
Now we need to enable SSL in apache
a2enmod ssl
Configure apache
Now that we have a private key and a certificate in the folder /etc/apache2/sslkeys/ , the following is an apache 2.2 config file to use that certificate
Open your website config file usually found in /etc/apache2/sites-available, copy the website file example.com to example-ssl.com, add the following lines.
At the beginning of the file, replace
<VirtualHost *:80>
with
<VirtualHost *:443>
then add the following 3 lines to the bottom of the config file
SSLEngine on
SSLCertificateFile /etc/apache2/sslkeys/server.crt
SSLCertificateKeyFile /etc/apache2/sslkeys/server.key
Now, to enable, create a symbolic link to the new example-ssl.com file from the folder /etc/apache2/sites-enabled
For example,
cd /etc/apache2/sites-enabled
ln -s /etc/apache2/sites-available/example.com
ln -s /etc/apache2/sites-available/example.com-ssl
Now, make sure that in the file /etc/apache2/ports.conf you have something like
<IfModule mod_ssl.c>
Listen 443
</IfModule>
In some other distros, you only need to add the line (Or make sure it already exists)
Listen 443
We will now want to restart the web server for the changes to take effect
/etc/init.d/apache2 restart
Again note that the web directories of SSL and non SSL can be the same directory (And therefore the user has the choice of SSL or no SSL for the same website), or they can be separate, Just remember that every SSL certificate needs an IP address that is not shared with any other security certificate (Other http websites can live on the same IP).
Right now, you should be able to visit http://www.example.com and https://www.example.com and see your website in both cases.
Copyright SSL Certificates Cheap 2010 - All trademarks mentioned on the website are the property of their respective owners.
Contact Details | Privacy Statement | Prices
Cheap Domain Names | Internet Stats and info | Cheap SSL Certificates | Domain Name Generator | Domain Name Reseller