SSL cert configuration for Apache on Debian

From Nick Jenkins
Jump to: navigation, search

Walkthrough steps for creating and installing an SSL cert for Apache on Debian:

nano /etc/ssl/openssl.cnf

Enter all of the default answers that I want.

cd /etc/apache2/ssl
mkdir expired-cert
mv * expired-cert/
ls -Ral
t="/etc/apache2/ssl"
openssl req -nodes -new -keyout $t/server.key -out $t/server.csr
Generating a 1024 bit RSA private key
............................++++++
..........++++++
writing new private key to '/etc/apache2/ssl/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [AU]:
State or Province Name (full name) [NSW]:
Locality Name (eg, city) [City]:
Organization Name (eg, company) [Name Pty Ltd]:
Organizational Unit Name (eg, section) [Name Pty Ltd]:
Common Name (eg, YOUR name) [www.whatever.com.au]:
Email Address [webmaster@whatever.com.au]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
ls -al
total 20
drwxr-xr-x 3 root root 4096 2008-10-28 14:40 .
drwxr-xr-x 8 root root 4096 2008-10-27 18:06 ..
drwxr-xr-x 2 root root 4096 2008-10-28 14:39 expired-cert
-rw-r--r-- 1 root root  887 2008-10-28 14:40 server.key
-rw-r--r-- 1 root root  920 2008-10-28 14:40 server.csr
cat server.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICbzCCAdgCAQAwggEtMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYD
VQQHEwZTeWRuZXkxGTAXBgNVBAoTEENhbGN1bGl4IFB0eSBMdGQxGTAXBgNVBAsT
EENhbGN1bGl4IFB0eSBMdGQxHDAaBgNVBAMTE3d3dy5leGFtcGxhbm5lci5jb20x
... etc ...
UPz8JE6QItc2NVysExZFKp4t41OikIZtZWDZeRMnFls8sJKAS6K9lm1D1kjnw+fB
TnnI
-----END CERTIFICATE REQUEST-----
nano server.crt
cat server.crt
-----BEGIN CERTIFICATE-----
MIID/zCCA2igAwIBAgIPHI02ompZ1WT7DdJnx16mMA0GCSqGSIb3DQEBBQUAMIGH
MQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05M
WTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1Qg
VEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTA4MTAy
... etc ...
yOXralljt7K1H5ysPfWYWsB7CgYxubH23r8KjlxGLmCRe048LQGn9dwcECFpsF4Z
E/FhK3YXzd+23wNnsXWhsFEdq3ctM/A3IYWWIIzxtC7BspsBhJZ8/4IGVPGbmQXa
5hlAy/4PgvARc+ZyA9N5cELf2g==
-----END CERTIFICATE-----
chmod 600 $t/{server.key,server.csr}
/etc/init.d/apache2 force-reload
Forcing reload of web server (apache2)...httpd (no pid file) not running

Once this is working, can then buy a certificate (e.g. from GoDaddy), and redo the server.crt creation for the real SSL cert.

To do[edit]

  • Multiple vhosts for one SSL cert. As at Oct-2008, this is still not working, even using the methods described at: http://wiki.cacert.org/wiki/VhostTaskForce (tried methods 1 and 2, and they did not work in Firefox 3).