SSL (Secure Sockets Layer)
Creating self-signed certificates
Due to the increasing limitations imposed on what browsers can do when sites are not protected by SSL, it is becoming necessary to create self-signed SSL certificates for use with internal, or testing, servers.
The following instructions describe how to create self-signed certificates for Apache2, and how to modify an Apache configuration file to use them.
Generally, due to the directories involved, the following will need to be done as the 'root' account.
Generating the self-signed certificate
First create and change to an 'ssl' directory that will store the certificates.
mkdir -p /etc/apache2/ssl cd /etc/apache2/ssl
Then use the 'openssl' command line tool to generate a private key ('wildcard.key'), a certificate ('wildcard.cert'), and a pem file.
openssl genrsa 2048 > wildcard.key openssl req -new -x509 -nodes -sha1 -days 3650 -key wildcard.key > wildcard.cert You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:*.{your domain}.local Email Address []: openssl x509 -noout -fingerprint -text < wildcard.cert > wildcard.info
Finally, the certificate and private key are concatenated to form a pem file; then the pem file is made readable by only the 'root' account.
cat wildcard.cert wildcard.key > wildcard.pem chmod 400 wildcard.key wildcard.pem
Reconfiguring Apache to use the certificates
Now duplicate the Apache configuration file that you would want to use with SSL - I like to suffix such files with ".ssl.conf". Edit the file, and surround the existing 'VirtualHost' element with an 'IfModule' element, e.g.
<IfModule mod_ssl.c> <VirtualHost> ... </VirtualHost> </IfModule>
Next, modify the 'VirtualHost' start tag so that the port it is attached to is '443'.
<VirtualHost _default_:443>
Then add the following SSL related lines.
SSLEngine on SSLCertificateFile /etc/apache2/ssl/wildcard.pem SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key