SSL (Secure Sockets Layer)

Creating self-signed certificates

Due to the increasing limitations imposed on what browsers can do when sites are not protected by SSL, it is becoming necessary to create self-signed SSL certificates for use with internal, or testing, servers.

The following instructions describe how to create self-signed certificates for Apache2, and how to modify an Apache configuration file to use them.

Generally, due to the directories involved, the following will need to be done as the 'root' account.

Generating the self-signed certificate

First create and change to an 'ssl' directory that will store the certificates.

mkdir -p /etc/apache2/ssl
cd /etc/apache2/ssl

Then use the 'openssl' command line tool to generate a private key ('wildcard.key'), a certificate ('wildcard.cert'), and a pem file.

openssl genrsa 2048 > wildcard.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key wildcard.key > wildcard.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.{your domain}.local
Email Address []:
openssl x509 -noout -fingerprint -text < wildcard.cert > wildcard.info

Finally, the certificate and private key are concatenated to form a pem file; then the pem file is made readable by only the 'root' account.

cat wildcard.cert wildcard.key > wildcard.pem
chmod 400 wildcard.key wildcard.pem

Reconfiguring Apache to use the certificates

Now duplicate the Apache configuration file that you would want to use with SSL - I like to suffix such files with ".ssl.conf". Edit the file, and surround the existing 'VirtualHost' element with an 'IfModule' element, e.g.

<IfModule mod_ssl.c>
        <VirtualHost>
        ...
        </VirtualHost>
</IfModule>

Next, modify the 'VirtualHost' start tag so that the port it is attached to is '443'.

<VirtualHost _default_:443>

Then add the following SSL related lines.

SSLEngine on
SSLCertificateFile    /etc/apache2/ssl/wildcard.pem
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key