This is actually, once again, simpler than it looks from the length of most tutorials that can be found elsewhere. So I’ll just list the steps and the key commands, and I’ll let you figure out how to move the files around.
Generate private key:
openssl genrsa -des3 -out servPriv.key 4096
Generate CSR (Certificate Signing Request):
openssl req -new -key servPriv.key -out servRequest.csr
Remove Passphrase from Key
cp servPriv.key servPriv.key-passwd
openssl rsa -in servPriv.key-passwd -out servPriv.key
NB: this is to prevent Apache from asking for the key password every time it starts, but obviously this means your key is no longer protected! To protect it a bit more, you should chown it to root, and chmod it 400 (ie, can only be read by root). For some reason Apache should still be able to read it.
Send your signing request to your certificate provider. Or self-sign your certificate:
openssl x509 -req -days 365 -in servRequest.csr -signkey servPriv.key -out signedStartSSL.crt
In Apache, enable mod_ssl. It can be done in a few clicks via Webmin, or just add this somewhere in your Apache configuration files:
LoadModule ssl_module modules/mod_ssl.so
And finally, add something like this somewhere in your Apache HTTPd configuration (note that SSLCertificateChainFile and SSLCACertificateFile are provided by the certificate signing authority thus don’t apply if you self-signed your certificate):
<VirtualHost *:443> DocumentRoot /var/www SSLEngine on SSLProtocol all -SSLv2 #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH SSLCertificateFile /home/certifs/signedStartSSL.crt SSLCertificateKeyFile /home/certifs/servPriv.key SSLCertificateChainFile /home/certifs/sub.class1.server.ca.pem SSLCACertificateFile /home/certifs/ca.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost>
Restart Apache and test 🙂
- Akadia – How to create a self-signed SSL Certificate
- SSL Shopper – How to Create and Install an Apache Self Signed Certificate
- StartSSL – Installation Instructions for Apache
- SSL tester by SSL Labs
Update (2012-08-10): fixed cypher choices to avoid being vulnerable to the BEAST attack.
Update (2013-06-06): new interesting cypher choices, cf http://www.evanhoffman.com/evan/2011/09/20/making-sure-sslv2-is-disabled-in-apache/ and http://www.virtualmin.com/node/19993