installing proper SSL on apache

You are looking for A-Z instructions, what i am doing here is to show you how to install a godaddy or starfield certificate to a website on apache server on a debian system, if you want the instructions to issue the certificate yourself (self signed certificate), i have covered that in another post, you can adopt this to the system of your choice, here i will explain what i am doing too so that you can adapt it to other systems

Note that you need a dedicated IP address for every website / certificate.
I have apache already installed on debian squeeze and running a website with no SSL

1- Before we begin, you may want to execute

apt-get update

2- Install openSSL, on debian this is done with

apt-get install openssl ssl-cert

3-Create a directory for the keys

mkdir /etc/apache2/sslkeys

4- Creating a PRIVATE key (Give to no one)

Before executing this command
You will be asked to chose a password and enter it twice, please keep this password on a paper close to you since we will need this password to decrypt this key in the following steps, this password is important during this process, no longer important after that.

openssl genrsa -des3 -out /etc/apache2/sslkeys/server.key 2048

5- Create a signing request to give to godaddy or starfieldtech
Before executing this command, remember that from the questions you will face, the only one that is TEHNICALLY IMPORTANT IS to use the common name example.com (not www.example.com), unless it is a subdomain other than www you can use subname.example.com, all other fields you should answer as you would like them to appear to people, but the certificate will not work with an incorrect common name

 openssl req -new -key /etc/apache2/sslkeys/server.key -out /etc/apache2/sslkeys/server.csr

NOTE: we could have created a signing request and a private key in one go with

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

But we chose to not do that because this tutorial aims to show you the exact steps and what they do

6- Now, we have a secure signing request, all we need to do is give that to the issuing authority so that they can give us a signed public key

UPDATE: Done with the problem of already present in a current certificate after 4 days of talking to godaddy

Now, i can generate my new certificate, but i waiting for 4 days that i could have done without and got it on the first day, the 72 hours written in the manual is probably the MAXIMUM after revoking a certificate, not after canceling it.

Problem, apache will not start without pass phrase, this also means that rebooting the machine will have the machine hang waiting for apache to start and waiting for a user to enter a password for apache, so we need to decrypt the private key
Please note that this does not make your connection less secure, but in the event that someone gets hold of the key file (That you should protect encrypted or not), they can defeat SSL security.

root@someserver:~#/etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Anyway, now we should come back to how to remove the pass phrase from the private key

Assuming that your RSA key is stored in the file
/etc/apache2/sslkeys/server.key
To decrypt the file, so that apache does not requer a password with every restart
1- copy the key file:

cp /etc/apache2/sslkeys/server.key /etc/apache2/sslkeys/server.enc.key

Now, decrypt the key (read from the backup file) into the key file in our config

openssl rsa -in /etc/apache2/sslkeys/server.enc.key -out /etc/apache2/sslkeys/server.key

Now the encrypted key is in the server.enc.key just in case you need it, and the key used by apache is NOT encrypted and is in server.key file (That apache already uses)

Leave a Reply

Your email address will not be published.