SSL: Difference between revisions

From code/src wiki
Jump to navigationJump to search
(Created page with "== Creating a self-signed certificate for Apache == * Create the cert, and copy it to the standard location <pre> # Change "site" to match your domain. eg. site=codesrc; export s…")
 
No edit summary
Line 1: Line 1:
== Obtaining a free SSL certificate ==
The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers.
* [https://www.godaddy.com/ssl/ssl-open-source.aspx godaddy] offers certs for open source projects.
* [http://www.startssl.com/ startssl] offers free certs to everyone.
== Creating a self-signed certificate for Apache ==
== Creating a self-signed certificate for Apache ==
* Create the cert, and copy it to the standard location
* Create the cert, and copy it to the standard location.
** You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
** Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
** DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
<pre>
<pre>
# Change "site" to match your domain. eg. site=codesrc; export site
# Change "site" to match your domain. eg. site=codesrc; export site

Revision as of 23:48, 23 May 2011

Obtaining a free SSL certificate

The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers.

  • godaddy offers certs for open source projects.
  • startssl offers free certs to everyone.

Creating a self-signed certificate for Apache

  • Create the cert, and copy it to the standard location.
    • You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
    • Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
    • DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
# Change "site" to match your domain. eg. site=codesrc; export site
cd /tmp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${site}-selfsigned.key -outform pem -out ${site}-selfsigned.pem
sudo cp ${site}-selfsigned.pem /etc/ssl/certs/
sudo cp ${site}-selfsigned.key /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/${site}-selfsigned.key
sudo chmod 640 /etc/ssl/private/${site}-selfsigned.key
  • Modify your apache site config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # Copy standard, non-SSL config here

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/codesrc-selfsigned.pem
        SSLCertificateKeyFile /etc/ssl/private/codesrc-selfsigned.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

* Make sure mod_ssl is enabled.
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../mods-available/ssl.load .
sudo ln -s ../mods-available/ssl.conf .
  • Restart apache
sudo /etc/init.d/apache2 restart