Adding an SSL certificate to Apache

By

Tony

,

This article is about replacing an existing self-signed SSL certificate.

In my case I have an Apache 2.2 server running on Fedora 14, pretty much default settings for a lot of stuff. My SSL certificate expired and I just needed to update it.

In my case I have the “ssl.conf” in:

/etc/httpd/conf.d/ssh.conf

Steps

1. Login to a terminal/ssl session on the box
2. Stop Apache, in my case “/etc/init.d/httpd”. This is not strictly necessary but probably a good idea
3. Move to the directory where you will keep the SSL certificates and keys. Mine are in the same directory as my “ssl.conf” file:

cd /etc/httpd/conf.d
4. If you don’t have a key or want to recreate one run something similar to:

openssl genrsa -des3 -out zoyinc.com.key 1024
  • In this case the key name is obviously “zoyinc.com.key”.
  • You will be asked for a “passphrase”, which is like a password to the key, so give it a key and note down what it is.
  • You should find a key file called “zoyinc.com.key” created in the same directory.
5. Apache needs a key without a passphrase otherwise it won’t start, instead waiting for you to enter the passphrase, at least that’s my recollection. I imagine there is a way around it but I just change it to remove the passphrase – not something I would do in a production environment but for home I am happy.To create a key without a passphrase run:

openssl rsa -in zoyinc.com.key -out zoyinc.com.nopassphrase.key
rm zoyinc.com.key
mv zoyinc.com.nopassphrase.key zoyinc.com.key

You will of course be prompted for the passphrase key.
6. Now to generate a certificate. Run something similar to:

openssl req -new -key zoyinc.com.key -x509 -days 1095 -out zoyinc.com.crt
  • Obviously the key needs to match the key you created earlier or a pre-existing.
  • The “-days 1095” is how long the certificate should last before expiring. It is important to note the default is only one month. In this case I have set it for 1095 days which is 3 years.

You will be prompted for various details for the certificate:

  1. Country Name – This is a two letter country code, in my case NZ
  2. State or Province Name – Optional
  3. Locality Name – Optional but usually city name
  4. Organization Name – Typically company name
  5. Organizational Unit Name – department within company, I put “Support”
  6. Common Name – This is important and is the name of your site, say “www.zoyinc.com”
  7. Email Address – Email address for people to contact you. This is public info so you may want to be careful what address you use.

A thing that doesn’t seem to get much press is that the “Common Name” can include a wild card. So I have used “*.zoyinc.com” so it will be considered valid for “www.zoyinc.com” and “dev.zoyinc.com”.
7. Restart Apache

 

Obviously you may need to update your “ssl.conf” file if you change the name of key or certificate

 

Related
Recent