SSL cert configuration for Apache on Debian
From Nick Jenkins
Walkthrough steps for creating and installing an SSL cert for Apache on Debian:
nano /etc/ssl/openssl.cnf
Enter all of the default answers that I want.
cd /etc/apache2/ssl mkdir expired-cert mv * expired-cert/ ls -Ral t="/etc/apache2/ssl" openssl req -nodes -new -keyout $t/server.key -out $t/server.csr
Generating a 1024 bit RSA private key ............................++++++ ..........++++++ writing new private key to '/etc/apache2/ssl/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [AU]: State or Province Name (full name) [NSW]: Locality Name (eg, city) [City]: Organization Name (eg, company) [Name Pty Ltd]: Organizational Unit Name (eg, section) [Name Pty Ltd]: Common Name (eg, YOUR name) [www.whatever.com.au]: Email Address [webmaster@whatever.com.au]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
ls -al
total 20 drwxr-xr-x 3 root root 4096 2008-10-28 14:40 . drwxr-xr-x 8 root root 4096 2008-10-27 18:06 .. drwxr-xr-x 2 root root 4096 2008-10-28 14:39 expired-cert -rw-r--r-- 1 root root 887 2008-10-28 14:40 server.key -rw-r--r-- 1 root root 920 2008-10-28 14:40 server.csr
cat server.csr
-----BEGIN CERTIFICATE REQUEST----- MIICbzCCAdgCAQAwggEtMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYD VQQHEwZTeWRuZXkxGTAXBgNVBAoTEENhbGN1bGl4IFB0eSBMdGQxGTAXBgNVBAsT EENhbGN1bGl4IFB0eSBMdGQxHDAaBgNVBAMTE3d3dy5leGFtcGxhbm5lci5jb20x ... etc ... UPz8JE6QItc2NVysExZFKp4t41OikIZtZWDZeRMnFls8sJKAS6K9lm1D1kjnw+fB TnnI -----END CERTIFICATE REQUEST-----
- Go to: https://www.thawte.com/cgi/server/try.exe
- Choose "SSL123 Certificate (All servers)"
- Paste in the contents of server.csr
- Then get back contents of server.crt, which will go into the file below:
nano server.crt cat server.crt
-----BEGIN CERTIFICATE----- MIID/zCCA2igAwIBAgIPHI02ompZ1WT7DdJnx16mMA0GCSqGSIb3DQEBBQUAMIGH MQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05M WTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1Qg VEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTA4MTAy ... etc ... yOXralljt7K1H5ysPfWYWsB7CgYxubH23r8KjlxGLmCRe048LQGn9dwcECFpsF4Z E/FhK3YXzd+23wNnsXWhsFEdq3ctM/A3IYWWIIzxtC7BspsBhJZ8/4IGVPGbmQXa 5hlAy/4PgvARc+ZyA9N5cELf2g== -----END CERTIFICATE-----
chmod 600 $t/{server.key,server.csr}
/etc/init.d/apache2 force-reload
Forcing reload of web server (apache2)...httpd (no pid file) not running
Once this is working, can then buy a certificate (e.g. from GoDaddy), and redo the server.crt creation for the real SSL cert.
To do[edit]
- Multiple vhosts for one SSL cert. As at Oct-2008, this is still not working, even using the methods described at: http://wiki.cacert.org/wiki/VhostTaskForce (tried methods 1 and 2, and they did not work in Firefox 3).
