Seventy-five percent of the servers I have been working on over the last few months have been Linux. Mostly Ubuntu. This due to the fact that my company has allow me to start migrating over and building new servers on this platform. With that, we need secure ways to access the servers. On occasion I’ll use webmin but mostly just SSH and whatever website is running on it (management, applications, etc). Webmin takes care of itself with a self signed certificate and SSH creates its own keys. Pretty easy there. Now, for the website that is running on the box, out of the gate it’s unencrypted TCP/80 traffic running from an Apache 2 web server. This short tutorial will cover how to create a CSR with OpenSSL for use when getting a certificate from one of the CA’s. I won’t explain everything here but you may use Ubuntu’s https-help guide if you need more info found here.
First, let’s make sure we have the right packages installed.
apt-get install openssh apache2 apache2.2-common php5
Now let’s enable SSL for apache2
sudo a2enmod ssl
Now lets create the server SSL key.
cd /etc/ssl/private
openssl genrsa -des3 -out dns.server.com.key 1024
Ok, now that we have the key, let’s create the CSR to be given to the CA.
openssl req -new -key dns.server.com.key -out dns.server.com.csr
It will prompt you for the passphrase and some other bits of information. The most important one is site name. This must match the name of your server. Something like mail.domain.com or www.domain.com would be appropriate here.
The CSR can now be uploaded to whatever CA you choose. I use GoDaddy because they are so cheap.
If you do not want to purchase a certificate you can create your own self signed cert with the following command.
openssl x509 -req -days 365 -in dns.server.com.csr -signkey dns.server.com.key -out dns.server.com.crt
cp /etc/ssl/private/dns.server.com.crt /etc/ssl/certs
Now that we have the cert created, let’s configure Apache to use it. Add the following 3 lines to your website configuration. The default one is located in /etc/apache2/sites-available/default.
SSLEngine on
SSLCertificateFile /etc/ssl/certs/dns.server.com.crt
SSLCertificateKeyFile /etc/ssl/private/dns.server.com.key
Save that config file and enable Apache to listen on 443 for HTTPS traffic. Add the following line to /etc/apache2/ports.conf
Listen 443
Restart your Apache2 process and you should have a fully functional SSL enabled website.
/etc/init.d/apache2 force-reload && /etc/init.d/apache2/restart