Skip to content


How to create and install an Apache SSL certificate (either self-signed or not)

This is actually, once again, simpler than it looks from the length of most tutorials that can be found elsewhere. So I’ll just list the steps and the key commands, and I’ll let you figure out how to move the files around.

Generate private key:
openssl genrsa -des3 -out servPriv.key 4096

Generate CSR (Certificate Signing Request):
openssl req -new -key servPriv.key -out servRequest.csr

Remove Passphrase from Key
cp servPriv.key servPriv.key-passwd
openssl rsa -in servPriv.key-passwd -out servPriv.key

NB: this is to prevent Apache from asking for the key password every time it starts, but obviously this means your key is no longer protected! To protect it a bit more, you should chown it to root, and chmod it 400 (ie, can only be read by root). For some reason Apache should still be able to read it.

Send your signing request to your certificate provider. Or self-sign your certificate:
openssl x509 -req -days 365 -in servRequest.csr -signkey servPriv.key -out signedStartSSL.crt

In Apache, enable mod_ssl. It can be done in a few clicks via Webmin, or just add this somewhere in your Apache configuration files:
LoadModule ssl_module modules/mod_ssl.so

And finally, add something like this somewhere in your Apache HTTPd configuration (note that SSLCertificateChainFile and SSLCACertificateFile are provided by the certificate signing authority thus don’t apply if you self-signed your certificate):

<VirtualHost *:443>
   DocumentRoot /var/www
   SSLEngine on
   SSLProtocol all -SSLv2
   #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
   SSLHonorCipherOrder On
   SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

   SSLCertificateFile /home/certifs/signedStartSSL.crt
   SSLCertificateKeyFile /home/certifs/servPriv.key
   SSLCertificateChainFile /home/certifs/sub.class1.server.ca.pem
   SSLCACertificateFile /home/certifs/ca.pem
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

Restart Apache and test 🙂

Sources:

Update (2012-08-10): fixed cypher choices to avoid being vulnerable to the BEAST attack.

Update (2013-06-06): new interesting cypher choices, cf http://www.evanhoffman.com/evan/2011/09/20/making-sure-sslv2-is-disabled-in-apache/ and http://www.virtualmin.com/node/19993

Posted in cryptography, Linux, security, servers.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA