Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

How To Set Up An SSL Vhost Under Apache2 On Ubuntu 9.10/Debian Lenny


This article explains how you can set up an SSL vhost under Apache2 on Ubuntu 9.10 and Debian Lenny so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. We use the mod_ssl Apache module here to provide strong cryptography for Apache2 via SSL by the help of the Open Source SSL toolkit OpenSSL.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I’m assuming that you have a working LAMP setup on your Ubuntu 9.10 or Debian Lenny box, as shown in these tutorials:

  • Installing Apache2 With PHP5 And MySQL Support On Debian Lenny (LAMP)
  • Installing Apache2 With PHP5 And MySQL Support On Ubuntu 9.10 (LAMP)

I will set up SSL for my vhost www.hostmauritius.com in this tutorial – hostmauritius.com is a domain that I own – replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://www.hostmauritius.com) and how to get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. – with a certificate from a trusted CA, your visitors won’t see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org – these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.

It is important to know that you can have just one SSL vhost per IP address – if you want to host multiple SSL vhost, you need multiple IP addresses!

I’m running all the steps in this tutorial with root privileges, so make sure you’re logged in as root. On Ubuntu, run

sudo su

to become the root user.

 

2 Enabling mod_ssl

To enable apache’s SSL module, run…

a2enmod ssl

… and restart Apache:

/etc/init.d/apache2 restart

Apache should now be listening on port 443 (HTTPS):

netstat -tap | grep https

root@server1:~# netstat -tap | grep https
tcp6       0      0 [::]:https              [::]:*                  LISTEN      1238/apache2
root@server1:~#

 

3 Setting Up The Vhost

I will now create the vhost www.hostmauritius.com with the document root /var/www/www.hostmauritius.com. First I create that directory:

mkdir /var/www/www.hostmauritius.com

Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl. We use that file as a template for the www.hostmauritius.com vhost…

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.hostmauritius.com-ssl

… and open /etc/apache2/sites-available/www.hostmauritius.com-ssl:

vi /etc/apache2/sites-available/www.hostmauritius.com-ssl

Make sure you use the correct IP address in the <VirtualHost xxx.xxx.xxx.xxx:443> line (192.168.0.100 in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <Directory > directives, if necessary:

<IfModule mod_ssl.c>
<VirtualHost 192.168.0.100:443>
        ServerAdmin webmaster@hostmauritius.com
        ServerName www.hostmauritius.com:443
        DocumentRoot /var/www/www.hostmauritius.com
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/www.hostmauritius.com/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog /var/log/apache2/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/ssl_access.log combined
        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on
        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
        #   Certificate Authority (CA):
        #   Set the CA certificate verification path where to find CA
        #   certificates for client authentication or alternatively one
        #   huge file containing all of them (file must be PEM encoded)
        #   Note: Inside SSLCACertificatePath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath /etc/ssl/certs/
        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
        #   Certificate Revocation Lists (CRL):
        #   Set the CA revocation path where to find CA CRLs for client
        #   authentication or alternatively one huge file containing all
        #   of them (file must be PEM encoded)
        #   Note: Inside SSLCARevocationPath you need hash symlinks
        #         to point to the certificate files. Use the provided
        #         Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath /etc/apache2/ssl.crl/
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
        #   Client Authentication (Type):
        #   Client certificate verification type and depth.  Types are
        #   none, optional, require and optional_no_ca.  Depth is a
        #   number which specifies how deeply to verify the certificate
        #   issuer chain before deciding the certificate is not valid.
        #SSLVerifyClient require
        #SSLVerifyDepth  10
        #   Access Control:
        #   With SSLRequire you can do per-directory access control based
        #   on arbitrary complex boolean expressions containing server
        #   variable checks and other lookup directives.  The syntax is a
        #   mixture between C and Perl.  See the mod_ssl documentation
        #   for more details.
        #<Location />
        #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
        #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
        #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
        #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
        #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
        #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
        #</Location>
        #   SSL Engine Options:
        #   Set various options for the SSL engine.
        #   o FakeBasicAuth:
        #     Translate the client X.509 into a Basic Authorisation.  This means that
        #     the standard Auth/DBMAuth methods can be used for access control.  The
        #     user name is the `one line' version of the client's X.509 certificate.
        #     Note that no password is obtained from the user. Every entry in the user
        #     file needs this password: `xxj31ZMTZzkVA'.
        #   o ExportCertData:
        #     This exports two additional environment variables: SSL_CLIENT_CERT and
        #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        #     server (always existing) and the client (only existing when client
        #     authentication is used). This can be used to import the certificates
        #     into CGI scripts.
        #   o StdEnvVars:
        #     This exports the standard SSL/TLS related `SSL_*' environment variables.
        #     Per default this exportation is switched off for performance reasons,
        #     because the extraction step is an expensive operation and is usually
        #     useless for serving static content. So one usually enables the
        #     exportation for CGI and SSI requests only.
        #   o StrictRequire:
        #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
        #     under a "Satisfy any" situation, i.e. when it applies access is denied
        #     and no other module can change it.
        #   o OptRenegotiate:
        #     This enables optimized SSL connection renegotiation handling when SSL
        #     directives are used in per-directory context.
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        #   SSL Protocol Adjustments:
        #   The safe and default but still SSL/TLS standard compliant shutdown
        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
        #   the close notify alert from client. When you need a different shutdown
        #   approach you can use one of the following variables:
        #   o ssl-unclean-shutdown:
        #     This forces an unclean shutdown when the connection is closed, i.e. no
        #     SSL close notify alert is send or allowed to received.  This violates
        #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
        #     this when you receive I/O errors because of the standard approach where
        #     mod_ssl sends the close notify alert.
        #   o ssl-accurate-shutdown:
        #     This forces an accurate shutdown when the connection is closed, i.e. a
        #     SSL close notify alert is send and mod_ssl waits for the close notify
        #     alert of the client. This is 100% SSL/TLS standard compliant, but in
        #     practice often causes hanging connections with brain-dead browsers. Use
        #     this only for browsers where you know that their SSL implementation
        #     works correctly.
        #   Notice: Most problems of broken clients are also related to the HTTP
        #   keep-alive facility, so you usually additionally want to disable
        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        #   "force-response-1.0" for this.
        BrowserMatch ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now disable the default SSL vhost (if it is enabled), enable the www.hostmauritius.com vhost and reload apache:

a2dissite default-ssl
a2ensite www.hostmauritius.com-ssl
/etc/init.d/apache2 reload

Now open a browser and go to your new SSL vhost (https://www.hostmauritius.com in this case). Because we are using Debian’s/Ubuntu’s default self-signed certificates, we should get a warning that the connection is untrusted (to use that web site anyway, click on I Understand the Risks and follow the instructions in your browser):

1

4 Creating A Self-Signed Certificate

Until now, we’ve used Debian’s/Ubuntu’s default self-signed certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will still get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.

Make sure that the package ssl-cert is installed:

aptitude install ssl-cert

You can now create a self-signed certificate for www.hostmauritius.com as follows:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.hostmauritius.com.crt

You will be asked for the hostname:

Host name: <– www.hostmauritius.com

This will create the self-signed certificate and the private key in one file, /etc/ssl/private/www.hostmauritius.com.crt:

cat /etc/ssl/private/www.hostmauritius.com.crt

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0V
J28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll2
2JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQAB
AoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm8
60M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeE
PVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0
Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+
9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r
8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+
Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO
5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplh
f8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18
PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93
d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAa
MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Y
hg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4
xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5
IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWn
U5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=
-----END CERTIFICATE-----

I will now split up that file in two, the private key /etc/ssl/private/www.hostmauritius.com.key and the self-signed certificate /etc/ssl/certs/www.hostmauritius.com.pem:

vi /etc/ssl/private/www.hostmauritius.com.key

This file must contain the part beginning with —–BEGIN RSA PRIVATE KEY—– and ending with —–END RSA PRIVATE KEY—–:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0V
J28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll2
2JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQAB
AoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm8
60M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeE
PVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0
Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+
9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r
8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+
Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO
5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplh
f8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18
PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==
-----END RSA PRIVATE KEY-----

The key must be readable and writable by root only:

chmod 600 /etc/ssl/private/www.hostmauritius.com.key

vi /etc/ssl/certs/www.hostmauritius.com.pem

This file must contain the part beginning with —–BEGIN CERTIFICATE—– and ending with —–END CERTIFICATE—–:

-----BEGIN CERTIFICATE-----
MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93
d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAa
MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Y
hg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4
xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJ
KoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5
IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWn
U5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=
-----END CERTIFICATE-----

Now we can delete the /etc/ssl/private/www.hostmauritius.com.crt file:

rm -f /etc/ssl/private/www.hostmauritius.com.crt

Next we adjust our SSL vhost to use the new private key and the self-signed certificate:

vi /etc/apache2/sites-available/www.hostmauritius.com-ssl

[...]
        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/ssl/certs/www.hostmauritius.com.pem
        SSLCertificateKeyFile /etc/ssl/private/www.hostmauritius.com.key
[...]

Reload Apache:

/etc/init.d/apache2 reload

The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will still get the browser warning when you access https://www.hostmauritius.com).

5 Creating A Certificate Signing Request (CSR)

To request a trusted certificate from a trusted CA such as Verisign, Thawte or Comodo, we must generate a certificate signing request (CSR) from our private key and send it to the CA which then creates a trusted certificate from it with which we replace our self-signed certificate.

I will create the CSR in the directory /etc/ssl/csr, so we have to create it first:

mkdir /etc/ssl/csr

Now we can create the CSR /etc/ssl/csr/www.hostmauritius.com.csr from our private key /etc/ssl/private/www.hostmauritius.com.key as follows:

openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr

You will be asked a few questions. Please fill in your details, they will be used for creating the trusted certificate and can be seen by your visitors when they choose to view the details of your certificate in their browsers. The most important thing is the Common Name – this must be the domain or hostname of your SSL vhost (www.hostmauritius.com in this case)!

root@server1:~# openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
<– DE
State or Province Name (full name) [Some-State]: <– Lower Saxony
Locality Name (eg, city) []: <– Lueneburg
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Example Ltd
Organizational Unit Name (eg, section) []: <– IT
Common Name (eg, YOUR name) []: <– www.hostmauritius.com
Email Address []: <– falko.timme@example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
<– ENTER
An optional company name []: <– ENTER
root@server1:~#

Afterwards, you should have a CSR in /etc/ssl/csr/www.hostmauritius.com.csr, e.g. as follows:

cat /etc/ssl/csr/www.hostmauritius.com.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIB9jCCAV8CAQAwgbUxCzAJBgNVBAYTAkRFMRUwEwYDVQQIEwxMb3dlciBTYXhv
bnkxEjAQBgNVBAcTCUx1ZW5lYnVyZzEtMCsGA1UEChMkSW50ZXJuZXRkaWVuc3Rs
ZWlzdHVuZ2VuIEZhbGtvIFRpbW1lMQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVd3d3
Lmhvc3RtYXVyaXRpdXMuY29tMR8wHQYJKoZIhvcNAQkBFhBmdEBmYWxrb3RpbW1l
LmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1A0hAy/N/hw637BCBRqhf
ngcxrulgFQJ5ftlWv2wBuouRILQtUZAeJCNMn6d0JS+sXxP60AFEBzLsdkV/OqeF
vD/vZlvUM39Qg/98yWwkvFIvz4qtJz/N0IO/KrER2+mUSfgAtFuqZWVwKLrwcVcp
/bsGwkp5TqJuQs9NbuQMEQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEADzJWSOya
kJ5ccQ2TlB3SxUBXtCAZ0aomlqdjkvBu2L1yAAOT4Xv/eKoYlSHjF1vyjtN36ERf
cklyFmtS64xxerGSqdW+wxjLyicK5sTplsea2F6yROaj7zxQ+By033HO/QEozU80
Ox/Kx1hc+K31wsor35pz8qxVFRegn2cgCYc=
-----END CERTIFICATE REQUEST-----

 

6 Getting A Trusted Certificate

To get a trusted certificate, you have to take your certificate signing request (CSR) to a certificate authority (CA) such as Verisign, Thawte, or Comodo (please note that you have to pay for a trusted certificate). Certificates issued by such a CA are trusted by all browsers which means you won’t see any browser warnings anymore.

CAcert.org allows you to get free certificates, but the downside is that such certificates are trusted by only a few browsers (which means you will get browser warnings). Anyway, I will use CAcert.org here to show you how to get a certificate from a CA – it should give you the idea, the procedure is the same with the trusted CAs.

Go to CAcert.org and open an account. Afterwards, go to Domains to add your own domain(s) (without a hostname, so if you want to get a certificate for www.hostmauritius.com, you just enter hostmauritius.com without www here). The service will send an email with a link to an email address that it finds in the WHOIS data of the domain – you have to click on that link to verify that you are the owner of the domain. I’ve verified three domains here:

2

To get a certificate, go to Server Certificates > New

3

… and scroll down to the big text area – this is where you paste your CSR that you’ve created in chapter 5. Click on Submit afterwards:

4

Click on Submit again on the next page:

5

After a few moments, you will see your new certificate:

6

Now create a backup of your self-signed certificate…

cp /etc/ssl/certs/www.hostmauritius.com.pem /etc/ssl/certs/www.hostmauritius.com.pem_bak

… , then empty your self-signed certificate…

> /etc/ssl/certs/www.hostmauritius.com.pem

… and open the empty certificate file:

vi /etc/ssl/certs/www.hostmauritius.com.pem

Now copy&paste the certificate from the CAcert.org page into the empty file:

-----BEGIN CERTIFICATE-----
MIIEYzCCAkugAwIBAgIDCBESMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
dEBjYWNlcnQub3JnMB4XDTEwMDExNzE3MDExMloXDTEwMDcxNjE3MDExMlowIDEe
MBwGA1UEAxMVd3d3Lmhvc3RtYXVyaXRpdXMuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC1A0hAy/N/hw637BCBRqhfngcxrulgFQJ5ftlWv2wBuouRILQt
UZAeJCNMn6d0JS+sXxP60AFEBzLsdkV/OqeFvD/vZlvUM39Qg/98yWwkvFIvz4qt
Jz/N0IO/KrER2+mUSfgAtFuqZWVwKLrwcVcp/bsGwkp5TqJuQs9NbuQMEQIDAQAB
o4HQMIHNMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUF
BwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMGCCsGAQUF
BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wRQYD
VR0RBD4wPIIVd3d3Lmhvc3RtYXVyaXRpdXMuY29toCMGCCsGAQUFBwgFoBcMFXd3
dy5ob3N0bWF1cml0aXVzLmNvbTANBgkqhkiG9w0BAQUFAAOCAgEAo6k29BksR4XO
PsrpUiE3FrZgsvOzlwVrp5NKeVAueLYYfapgZ9PU6fWVgTR77eBCX4Wt8g0AIZ9B
OcUdE/CPtpdPranFbZK+SuqzcgwxO01MVFVUN9WQC5lfixI2qptlmByZygOwmeSa
gSGBlKgHNMhmTxtO0FDO3mQdGRymb4/1k2SdQkjk3XBd6Ciy+Jn+S6+3QFaidg88
eLh0vaiUQ2YV/ecbe/zs6JBI0EklR1GRADdMJfMDEm/Ocfs6YWuqo6Tpjc6ycfYe
ewnv0PWSsF5urxy8JnSrOKecr1hFVqE9eZCmC/ZpIS9U0z9couyJ0W3FTBXMHil9
roEKDnWmvZ2vywq4JgLvzTHJWjURZe59meV1Fb7R9DmeQiTJ/a0v/6wTymhDxDRc
Wm09IwysUbMt3COJ5h+oQEq30Jot6f3bS/Eg5WLOl9zjDTZdCJAbDlSYtwib/wg/
n0ogdykVjZVwKqo0+RpzaoGZRbWoV67QdTCSz3wt+eliyKtV76gENlvnauqfZKDU
+erR7byIo+RFZgZKbgYgz0z0X7HWG2XmlqHX+vCYO21H3ap9dWhjnki9BvpA9X32
VMMFVY/XbA5oTQDaVRXyriZo3Mxf+QRsvwJkngD2W4qyRj+4F0xh9y7iz36yebXT
+qVoLI4cmcAOBIg7a4KmF9S0NIAclW8=
-----END CERTIFICATE-----

Restart Apache:

/etc/init.d/apache2 restart

That’s it, if your CA doesn’t ask you to install a certificate chain file or intermediate certificate in Apache, you’re done, and you can now access your SSL vhost (https://www.hostmauritius.com in this case) without a browser warning. (If you use a CAcert.org certificate, you will still see a browser warning as most browsers don’t know this CA – read chapter 7 to learn how to make your browser trust CAcert.org certificates).

To manage your existing certificates on the CAcert.org web site, go to Server Certificates > View:

7

6.1 Certificate Chain Files Or Intermediate Certificates

Some CAs require that you install a certificate chain file or intermediate certificate in Apache (in addition to the certificate that you installed in chapter 6). (Please note that CAcert.org does not require this!).

These CAs usually have instructions on their web sites how to do this. Basically it works like this: you doanload this certificate chain file or intermediate certificate to your server (e.g. to the /etc/ssl/certs/ directory; I name my certificate chain file CAcert_chain.pem here, so the full path is /etc/ssl/certs/CAcert_chain.pem), then you open your SSL vhost configuration…

vi /etc/apache2/sites-available/www.hostmauritius.com-ssl

… and add/enable the SSLCertificateChainFile directive in it:

[...]
        SSLCertificateFile    /etc/ssl/certs/www.hostmauritius.com.pem
        SSLCertificateKeyFile /etc/ssl/private/www.hostmauritius.com.key

        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        SSLCertificateChainFile /etc/ssl/certs/CAcert_chain.pem
[...]

Restart Apache afterwards:

/etc/init.d/apache2 restart

7 Configure Firefox To Trust CAcert.org (Optional)

If you use a CAcert.org certificate, your browser most likely doesn’t trust this certificate and will show a warning. This chapter explains how you can import the CAcert.org root certificate into Firefox so that it won’t show this warning anymore (please read http://wiki.cacert.org/BrowserClients for other browsers like MSIE, Safari or Opera).

Please note that if you run an e-commerce web site, you should better buy a certificate from a trusted CA because you can’t ask all your visitors to reconfigure their browsers.

Please visit http://www.cacert.org/index.php?id=3 and click on the Root Certificate (PEM Format) link (http://www.cacert.org/certs/root.crt):

8

The Downloading Certificate dialogue opens. Click on View to examine the certificate:

9

Please make sure that the fingerprints are as follows:

SHA1 Fingerprint: 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
MD5 Fingerprint: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B

Click on Close afterwards:

10

Next check Trust this CA to identify web sites. and click on OK:

11

Now go to Tools > Options…

12

… and then to Advanced > Encryption. Click on Revocation Lists:

13

The Manage CRLs window opens. Click on Import…:

14

Fill in the following URL and click on OK: http://crl.cacert.org/revoke.crl

15

After a few moments you should see the following message. Click on Yes to enable automatic updates:

16

Check Enable Automatic Update for this CRL and click on OK:

17

That’s it. You should now be able to go to your SSL vhost without getting a browser warning:

18

  • Apache: http://httpd.apache.org/
  • mod_ssl: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
  • OpenSSL: http://www.openssl.org/
  • CACert.org: http://www.cacert.org/
  • Ubuntu: http://www.ubuntu.com/
  • Debian: http://www.debian.org/

Comments

comments