| ronanchilvers.com |
|
There are a number of ways to set up SSL on a web host. The purpose of this howto is to provide a guide on setting up a local certificate authority (CA) and then using that authority to set up a certificate that can be used with the apache2 webserver, as provided by Debian (backports as of this writing, but should be part of sarge release).
The first step is to set up the CA. The CA allows you to sign an SSL certificate so that anyone who has the necessary CA data can verify its integrity.
Create the CA key
openssl genrsa -des3 -out my-ca.key 2048
Create the CA certificate
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca-crt
To generate a server certificate we first need to generate a certificate signing request to pass to the CA. The signing request is then signed by the CA to create the certificate. Note that server keys should be either 512 or 1024 bits in length - other values have been reported to cause problems.
Create certificate signing request (server.csr) and private key (privkey.pem)
openssl req -new -out server.csr
NOTE: Make sure that the 'Common Name' you specify is the FQDN of the SSL site you are setting up.
Create the server key using the private key without a password
openssl rsa -in privkey.pem -out server.key
Sign the server certificate request with the local CA key to create the server certificate
openssl x509 -req -in server.csr -out server.crt \ -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
The certificates now need to be installed into their correct places on the server.
Set key permissions
chmod 0400 *.key
Create server key and certificate directories
mkdir /etc/apache2/ssl.cert mkdir /etc/apache2/ssl.key
Copy the keys and certificates across to the server configuration
cp server.key /etc/apache2/ssl.key/ cp server.crt /etc/apache2/ssl.cert/ cp my-ca.crt /etc/apache2/ssl.cert/
We now need to configure apache2 to use the certificates. The following assumes the use of mod_ssl and that the a2enmod and a2ensite utilities are available.
Configure apache2 to listen on port 443 (the default https port). The following stanza should be placed in ports.conf (if it exists) or directly beneath the exisiting 'listen 80' line in httpd.conf
Listen 443
Enable mod_ssl in the apache configuration. If a2enmod is available you can do
a2enmod ssl
or create the symlink yourself
ln -s /etc/apache2/mods-available/ssl.* /etc/apache2/mods-enabled/
or add the following to the list of LoadModule directives in httpd.conf
LoadModulessl_module/usr/lib/apache2/modules/mod_ssl.so
Now we can create the SSL virtual host. Setup a NameVirtualHost directive and VirtualHost container for port 443 in sites-available/secure.mysite.com
NameVirtualHost *:443 VirtualHost *:443 ServerName secure.mysite.com DocumentRoot /my/ssl/document/root SSLEngine On SSLCertificateFile /etc/apache2/ssl.cert/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.cert/my-ca.crt SSLCACertificateFile /etc/apache2/ssl.cert/my-ca.crt VirtualHost
Enable the site in the apache2 configuration with either
a2ensite secure.mysite.com
or
ln -s /etc/apache2/sites-available/secure.mysite.com /etc/apache2/sites-enabled/
Restart apache2 with either
/etc/init.d/apache2 force-reload
or
apache2ctl restart
You could use
apache2ctl graceful
but I'm not sure that will pick up the new virtual host and SSL settings
You can now test the SSL certificate by opening a browser and surfing to
https://secure.mysite.com
You should recieve a warning that the SSL certificate offered cannot be validated against a known certificate authority. In order to prevent this you can install your CA certificate (my-ca.crt NOT my-ca.key) into the browser's trusted CA list. Once this is done you can browse the SSL site without warnings appearing.