SSL

From code/src wiki
Jump to: navigation, search

Obtaining a free SSL certificate

The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers.

  • godaddy offers certs for open source projects.
    • Only free for the first year.
  • startssl offers free certs to everyone.

Creating a self-signed certificate for Apache

  • Create the cert, and copy it to the standard location.
    • You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
    • Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
    • DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
# Change "site" to match your domain. eg. site=codesrc; export site
cd /tmp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${site}-selfsigned.key -outform pem -out ${site}-selfsigned.pem
sudo cp ${site}-selfsigned.pem /etc/ssl/certs/
sudo cp ${site}-selfsigned.key /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/${site}-selfsigned.key
sudo chmod 640 /etc/ssl/private/${site}-selfsigned.key
  • Modify your apache site config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # Copy standard, non-SSL config here

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/codesrc-selfsigned.pem
        SSLCertificateKeyFile /etc/ssl/private/codesrc-selfsigned.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

* Make sure mod_ssl is enabled.
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../mods-available/ssl.load .
sudo ln -s ../mods-available/ssl.conf .
  • Restart apache
sudo /etc/init.d/apache2 restart

Creating a certificate request

  • You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
  • Enter your business name in the Organization field. If the certificate is not business related, enter your own name.
  • Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
  • DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
openssl req -newkey rsa:4096 -out myRequest.csr -text -keyout myPrivateKey.private
  • Provide myRequest.csr to your certificate authority for signing.
Personal tools