Sunday, April 4, 2010

Ubuntu, Trusted SSL Certificate install in Apache

Generating the Private Key file:
su root
apt-get update
apt-get install ssl-cert
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.mydomainname.com.crt
When asked for username, insert www.mydomainname.com
cat /etc/ssl/private/www.mydomainname.com.crt
As you can see, the file consists of two parts. The RSA Private Key part and the Certificate part. We are interested in the Private Key part. Copy the part beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----
nano /etc/ssl/private/www.mydomainname.com.key
Paste the copied data and save your key file.
rm -f /etc/ssl/private/www.mydomainname.com.crt
mkdir /etc/ssl/csr
openssl req -new -key /etc/ssl/private/www.mydomainname.com.key -out /etc/ssl/csr/www.mydomainname.com.csr
You will get some questions to answer. Type your answers but IMPORTANT, the "Common Name" must be the domain or hostname of your Virtual Host, e.g. www.mydomainname.com
Your new CSR file will be located here:
cat /etc/ssl/csr/www.mydomainname.com.csr
Now this new CSR file needs to be submitted to a Certificate Authority (CA) like Thawte/Verisign. After you then receive your new certificate from the CA, you must install it:

Open your new certificate you just received and copy the part beginning with -----BEGIN CERTIFICATE-----  and ending with -----END CERTIFICATE-----
nano /etc/ssl/certs/www.mydomainname.com.pem
Paste the copied data and save your pem file.
/etc/init.d/apache2 restart
Your new Trusted Certificate is now installed and should be working. Should your CA request that a certificate chain file or intermediate certificate be installed, you can do the following:

Copy the chain file, given by your CA, to for example your /etc/ssl/certs/ directory on your server. Let's assume the chain filename is CAchainFile.pem
nano /etc/apache2/sites-available/www.mydomainname.com-ssl
In the SSLCertificate section change or add the following:

SSLCertificateChainFile /etc/ssl/certs/CAchainFile.pem

Apache needs to be restarted after this change:
/etc/init.d/apache2 restart
Free Trusted Certificate Authorities:
http://cert.startcom.org
http://www.cacert.org