Creating a self signed Apache SSL certificate
if you ever need to use HTTPS or SSL with your website, you will need to have an SSL certificate created, which your Apache web server would use to hand out to the web browsers of the site visitors. The certificate is normally generated at the time of Linux installation of your PC/server, during Apache installation. However, this certificate would be created for a machine, named “localhost.localdomain” . When a web browser visits such a site , it sees this certificate, and also sees that it does not match the website's hostname or FQDN. Modern browsers see it as a threat, or something “fishy”. Here is how you would create a new certificate for your website, on your web server. I am using CentOS 5.3 .
Your Apache ssl.conf in /etc/httpd.conf.d directory has the following SSLCertificate related directives.
[root@www conf.d]# grep SSLCertificate /etc/httpd/conf.d/ssl.conf
# Point SSLCertificateFile at a PEM encoded certificate. If
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Point SSLCertificateChainFile at a file containing the
# the referenced file can be the same as SSLCertificateFile
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
[root@www conf.d]#
Also note down the permissions set of these two files:-
[root@www conf.d]# ls -lh /etc/pki/tls/certs/localhost.crt
-rw------- 1 root root 1.5K May 5 23:02 /etc/pki/tls/certs/localhost.crt
[root@www conf.d]# ls -lh /etc/pki/tls/private/localhost.key
-rw------- 1 root root 891 May 5 23:02 /etc/pki/tls/private/localhost.key
Now create the new certificate files:
[root@www conf.d]# openssl req -new -days 365 -x509 -nodes -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key
Generating a 1024 bit RSA private key
......++++++
...................................++++++
writing new private key to '/etc/pki/tls/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:Example Web Site
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []: webserver@example.com
Note that the files are called server.crt and server.key . You can have any name for these files though. Now you should update your ssl.conf file to use thse files instead of the localhost.crt and localhost.key .
[root@www conf.d]# vi /etc/httpd/conf.d/ssl.conf
...
SSLCertificateFile /etc/pki/tls/certs/server.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/server.key
...
...
Update the permission set of these two files :-
[root@www conf.d]# chmod 0600 /etc/pki/tls/certs/server.crt
[root@www conf.d]# chmod 0600 /etc/pki/tls/private/server.key
[root@www conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
That is all.
Remember, that this is still a self signed certificate. That means browser clients will still see a “this certificate is no good”, type of message before presenting the site. But this does give the viewer a peace of mind.
Web-email such as SquirrelMail setup as http://www.example.com/webmail, should now be able to work as https://www.example.com/webmail .
Please note that Apache SSL certificates cannot be used with Name based Virtual Hosts.
No comments:
Post a Comment