Once you have your server running with a self-signed certificate you might find it useful to have a “real” certificate that does not warn users.
Many of the CA’s provide test certificates that are generally valid for 30-60 days, I’ve recently discovered StartSSL, that generates free certificates that are valid for a full year.
- Generating keys and certificates….
NOTE: this process is rather involved and is documented better elsewhere, here’s what I needed to remember to get the keys and certificates.
- save ssl.key (private)
- save ssl.crt (pem encoded)
- get file from control panel:
- Make sure that you move all three files to the /etc/apache2/ssl/ folder on the server.
- Edit the config file…
sudo vi /etc/apache2/sites-available/default-ssl.conf
Modify the values related to the keys and certs…
- Reload the config and restart…
sudo service apache2 reload
sudo service apache2 restart
Test it out…
If you’ve taken some time to wander around my site, you may have noticed that I also have SSL enabled (with https://www.giantgeek.com/ url’s). Here’s the steps you can take on your site/server – provided you have proper access.
Download and install Apache-OpenSSL and OpenSSL – I’ve found http://hunter.campbus.com/ to be a reliable source for precompiled binaries for Win32 platforms.
Install OpenSSL, and add the following environmental variable.
Generate a private key:
openssl genrsa —des3 —out filename.key 1024
Create CSR Request…
openssl req —new —key filename.key —out filename.csr
This step will ask for several pieces of information, here’s my example:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) :Carol Stream
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dean Scott Fredrickson
Organizational Unit Name (eg, section) :Giant Geek Communications
Common Name (eg, YOUR name) :www.giantgeek.com
Email Address :[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :xxxxxxxxxxxxxx
An optional company name :Giant Geek Communications
You can now send this CSR to a valid Certifying Authority…
I currently use http://www.comodo.com/.
It’s very likely that the CA will need to verify your identity, typically this requires you to fax a copy of your id card/passport or business papers. A D-U-N-S Number (from Dun and Bradstreet) will make this easier for businesses.
If you don’t plan on having lots of users, you can create a Self-signed certificate…
openssl x509 —req —days 30 —in filename.csr —signkey filename.key —out filename.crt
You’ll need to install the files received from the CA, but it’s pretty trivial so I’ll leave it for later.