Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : How to SETUP SSL (Apache + MODSSL)

[YUPAPA]

This Yupapa's Tutorial teaches you how to generate and setup a SSL certificate. ~

Assuming you have apache and openssl installed, you would like to generate and setup an SSL certificate for the domain 'MYdomain.com'


Generating RSA & CSR (Signing Request)
__________________________________________________
[root@yupapa root]#
[root@yupapa root]# cd /etc/httpd/conf/ssl.key

OPTION 1: Generating a RSA private key without a passphrase (ME recommended)
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -out MYdomain.com.key 1024

OPTION 2: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.
[root@yupapa /etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out MYdomain.com.key 1024

You should NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically. If you have, then apache just sit there and wait for the script to input the passphrase which is a mess!
There is a method that you can disable the passphrase to prompt when you restart apache which I'll show you later~

Next generate the CSR using the RSA Private Key
[root@yupapa /etc/httpd/conf/ssl.csr]# openssl req -new -key MYdomain.com.key -out MYdomain.com.csr
[root@yupapa /etc/httpd/conf/ssl.csr]# mv MYdomain.com.csr ../ssl.csr

You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.
Do not enter these characters '< > ~ ! @ # $ % ^ * / \ ( ) ?.,&' because they will not be accepted.

Common Name: the domain for the web server (e.g. MYdomain.com)
Organization: the name of your organization (e.g. YUPAPA)
Organization Unit: the section of the organization (e.g. Sales)
City or Locality: the city where your organzation is located (e.g. Flanders)
State or Province: the state / province where your organzation is located (e.g New Jersey)
Country: the country where your organzation is located (e.g US)

You may be asked for emeow address and challenge challenge password. I just hit enter when I generate the csr~

Now you should have:
/etc/httpd/conf/ssl.key/MYdomain.com.key
/etc/httpd/conf/ssl.csr/MYdomain.com.csr

Make a backup copy of your private key! If you lose it, you have to purchase a new cert!

Now you should submit your csr and they will mail you the certificate.




Installing the Certificate for Apache
__________________________________________________
[root@yupapa root]#
[root@yupapa root]# cd /etc/httpd/conf/ssl.crt

Copy the certificate that they mailed you to MYdomain.com.crt
Open your httpd.conf file and place the following to your virtualhost

Code:

<VirtualHost 123.456.789.123:443>
... some config like DocumentRoot , etc..
SSLEngine		on
SSLCertificateFile	/etc/httpd/conf/ssl.crt/MYdomain.com.crt
SSLCertificateKeyFile	/etc/httpd/conf/ssl.key/MYdomain.com.key
</VirtualHost>

Restart apache
OPTION 1 [root@yupapa /etc/httpd/conf/ssl.crt]# apachectl restart
OPTION 2 (using the sh script) [root@yupapa /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart


You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.
[root@yupapa /etc/httpd/conf/ssl.crt]# cd ../ssl.key
[root@yupapa /etc/httpd/conf/ssl.key]# mv MYdomain.com.key MYdomain.com.key.has-passphrase
[root@yupapa /etc/httpd/conf/ssl.key]# openssl rsa -in MYdomain.com.key.has-passphrase -out MYdomain.com.key


And then restart apache again

Now you should be able to access https://MYdomain.com ~ And Finally make sure those directories and files are only writable and readable by root!

[viGeek]

Great how-to YUPAPA!

[Mr_Colostomy]

Quote:

Originally posted by YUPAPA
Now you should submit your csr and they will mail you the certificate.

Where/How do I submit it?

Bigtime Thanx
-Colo

P.S. I've also generated the key and csr in webpanel, but when I goto install cert I get....Sorry key not found? I've copied pasted and I realize that I need a crt and not a csr, I just know who to send it to. I know I'm the biggest noob on the board, but I'm at a total loss here.

And what version of Apache? When I tried to enter the SSLEngine On line, I got an error and had to remove it.
Apache Core 1.3.29
mod_ssl 2.8.16 are my versions

[stftk]

If you want a verified SSL certificate, you will need to submit your CSR to a signing authority such as Geotrust or freessl. For just $20 you can get a chained SSL cert from www.rackshack.net .

Or you can have it sign itself in which cause you would get a box when going to the page saying this cert is not from a trusted authority.

When you go to setup the SSL cert in your admin panel, copy the CSR into the first box and the CRT into the second box (certificate box).

[tity0505]

yupapa thanks for the tutorial,
i'm new to this and having trouble installing it for apache, because under the folder i don't have "httpd" folder anywhere

[marshallm]

Does anyone know if you can use PGP to create the cert, and then sign it with your company's corporate signing key?

Seems to me that would be the way to go if your company uses PGP.

Thanks!