SSL: Difference between revisions
From code/src wiki
Jump to navigationJump to search
Created page with "== Creating a self-signed certificate for Apache == * Create the cert, and copy it to the standard location <pre> # Change "site" to match your domain. eg. site=codesrc; export s…" |
No edit summary |
||
| Line 1: | Line 1: | ||
== Obtaining a free SSL certificate == | |||
The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers. | |||
* [https://www.godaddy.com/ssl/ssl-open-source.aspx godaddy] offers certs for open source projects. | |||
* [http://www.startssl.com/ startssl] offers free certs to everyone. | |||
== Creating a self-signed certificate for Apache == | == Creating a self-signed certificate for Apache == | ||
* Create the cert, and copy it to the standard location | * Create the cert, and copy it to the standard location. | ||
** You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address. | |||
** Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com). | |||
** DO NOT enter "YOUR name" into the CN field, as prompted by openssl. | |||
<pre> | <pre> | ||
# Change "site" to match your domain. eg. site=codesrc; export site | # Change "site" to match your domain. eg. site=codesrc; export site | ||
Revision as of 23:48, 23 May 2011
Obtaining a free SSL certificate
The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers.
Creating a self-signed certificate for Apache
- Create the cert, and copy it to the standard location.
- You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
- Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
- DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
# Change "site" to match your domain. eg. site=codesrc; export site
cd /tmp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${site}-selfsigned.key -outform pem -out ${site}-selfsigned.pem
sudo cp ${site}-selfsigned.pem /etc/ssl/certs/
sudo cp ${site}-selfsigned.key /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/${site}-selfsigned.key
sudo chmod 640 /etc/ssl/private/${site}-selfsigned.key
- Modify your apache site config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Copy standard, non-SSL config here
SSLEngine on
SSLCertificateFile /etc/ssl/certs/codesrc-selfsigned.pem
SSLCertificateKeyFile /etc/ssl/private/codesrc-selfsigned.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
* Make sure mod_ssl is enabled.
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../mods-available/ssl.load .
sudo ln -s ../mods-available/ssl.conf .
- Restart apache
sudo /etc/init.d/apache2 restart
