SSL

From code/src wiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Obtaining a free SSL certificate

The following Certificate Authorities offer free domain-validated certificates that are accepted by the majority of web browsers.

  • godaddy offers certs for open source projects.
    • Only free for the first year.
  • startssl offers free certs to everyone.

Creating a self-signed certificate for Apache

  • Create the cert, and copy it to the standard location.
    • You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
    • Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
    • DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
# Change "site" to match your domain. eg. site=codesrc; export site
cd /tmp
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${site}-selfsigned.key -outform pem -out ${site}-selfsigned.pem
sudo cp ${site}-selfsigned.pem /etc/ssl/certs/
sudo cp ${site}-selfsigned.key /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/${site}-selfsigned.key
sudo chmod 640 /etc/ssl/private/${site}-selfsigned.key
  • Modify your apache site config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # Copy standard, non-SSL config here

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/codesrc-selfsigned.pem
        SSLCertificateKeyFile /etc/ssl/private/codesrc-selfsigned.key
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

* Make sure mod_ssl is enabled.
<pre>
cd /etc/apache2/sites-enabled
sudo ln -s ../mods-available/ssl.load .
sudo ln -s ../mods-available/ssl.conf .
  • Restart apache
sudo /etc/init.d/apache2 restart

Creating a certificate request

  • You will be prompted for Country, State/Province, Locality, Organization, Organization Unit, Common Name (CN), and Email Address.
  • Enter your business name in the Organization field. If the certificate is not business related, enter your own name.
  • Enter the web hosts authority for the CN, as it will be used by users to access your site. (eg. "www.codesrc.com") A FQDN not required - a DNS CNAME should be entered, if this is the normal method of accessing the site. (eg. www.codesrc.com is a CNAME for webhost.codesrc.com).
  • DO NOT enter "YOUR name" into the CN field, as prompted by openssl.
openssl req -newkey rsa:4096 -out myRequest.csr -text -keyout myPrivateKey.private
  • Provide myRequest.csr to your certificate authority for signing.
Retrieved from "https://www.codesrc.com/mediawiki/index.php?title=SSL&oldid=152"