Setting up SSL certificates with Apache 2

Introduction

SSL certificates are not always easy to understand and implement. Nevertheless, I will try to make it clear. For those who wish to be signed by a free certification authority, I invite you to visit the CACert website.

Installation

Debian

Once again, it's quite simple here:

1

apt-get install openssl

Then you'll download a small program that will make your life easier:

1
2

cd ~/
mkdir ssl

Here is the file to download and put in your ssl folder.

Once done, decompress it:

1

tar -xzvf cert_manager.tar.gz

OpenBSD

For OpenBSD, nothing special to install. Apache is provided as standard with the SSL module.

Configuration

Debian

Let's go to the decompressed folder:

1

cd CERT_MANAGER

If you want to change the number of days for the validity of your certificate, edit the ca_openssl.cnf file and modify line 39:

1

default_days    = 365

Change 365 to what you want (3650 for 10 years for example).

Creating a certification authority

We will now create the certification authority for our local network. First, we initialize our certificate management environment:

1

./cert_manager.sh --init

This command creates the necessary folders and files for the proper functioning of our script and asks you the necessary questions for the configuration of your certification authority:

1
2
3
4
5
6
7

You will now be asked to give informations for your certificate authority.
Description du domaine [défaut : Domaine local]: Deimos
Code de votre pays [défaut : FR]:
Nom de votre région [défaut : Ile de France]:
Nom de votre ville [défaut : Paris]:
Nom de votre domaine [défaut : domain.local]: www.deimos.fr
Email de l'administrateur [défaut : root@domain.local]: root@deimos.fr

We then create our certification authority:

1

./cert_manager.sh --create-ca

You now have what you need to sign your own certificates.

Creating a server certificate for our local network

Now that you have a certification authority, we will create a certification request in order to obtain a certificate signed by our authority. For example, to create a certificate for our HTTPS server:

1

./cert_manager.sh --generate-csr=https

Note: https is used to generate the filename of the request. It is preferable that this value does not contain spaces or special characters.

You must then enter your certificate information:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

You will now be asked to give informations for your certificate authority.
Type de serveur [défault : HTTP server]: HTTPS server
Code de votre pays [défaut : FR]:
Nom de votre région [défaut : Ile de France]:
Nom de votre ville [défaut : Paris]:
Email de l'administrateur [défaut : root@deimos.fr]:
Nom de votre domaine [défaut : domain.local]: www.deimos.fr
Noms de domaines supplémentaires, un par ligne. Finissez par une ligne vide.
SubjectAltName: DNS:doc.deimos.fr
SubjectAltName: DNS:imp.deimos.fr
SubjectAltName: DNS:mail.deimos.fr
SubjectAltName: DNS:

Note: As you can see, this tool gives you the possibility to generate certificates valid for several domain names.

At the end of the procedure, the tool displays the created request because you can, if you wish, have this request signed by the CACert site.

If the certificate is intended for your local network, you can use your certification authority to sign it:

1

./cert_manager.sh --sign-csr=https

This command displays the information included in the certificate request and asks you if you agree to sign it:

1
2

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

You now have 2 files that together form your certificate:

1
2

./CERTIFICATES/https_cert.pem
./PRIVATE_KEYS/https_key.pem

All you have to do now is copy these files and the public key of your certification authority to the appropriate place for your server configuration:

1

./CERTIFICATE_AUTHORITY/ca-cert.pem

Integration with Apache

For the Apache part, it's quite simple, just copy certain files:

1
2
3
4

mkdir -p /etc/apache2/ssl/
cp CERTIFICATE_AUTHORITY/ca-cert.pem /etc/apache2/ssl/deimos.fr.ca.crt
cp CERTIFICATES/https_cert.cert /etc/apache2/ssl/deimos.fr.crt
cp PRIVATE_KEYS/https_key.pem /etc/apache2/ssl/deimos.fr.key

Then put this in a VirtualHost in Apache (make a special SSL VirtualHost):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

<VirtualHost *:443>
        ServerAdmin xxx@mycompany.com
        ServerName fire.deimos.fr

        SSLEngine on
        SSLCACertificateFile /etc/apache2/ssl/deimos.fr.ca.crt
        SSLCertificateFile /etc/apache2/ssl/deimos.fr.crt
        SSLCertificateKeyFile /etc/apache2/ssl/deimos.fr.key

        DocumentRoot /var/www/

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

OpenBSD

To generate certificates, here's how to proceed:

1
2
3
4

cd /etc/ssl
openssl genrsa -out /etc/ssl/private/server.key 2048
openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
openssl x509 -req -days 3650 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt

Apache Configuration

Debian

To finish, add this to /etc/apache2/ports.conf:

1

Listen 443

All that remains is to enable the ssl mod for the configuration:

1

a2enmod ssl

We can now admire the result by restarting Apache2 :-)

1

/etc/init.d/apache2 restart

OpenBSD

Multi-VirtualHost SSL

Like everyone else, one day you tried to have VHosts in SSL, and the Apache people informed you that you can't. The problem is that you can only have one certificate because information like the Host is inside the request, and is not accessible to the layer that decides which certificate to use and handles the encryption.

There were some ugly tricks to avoid the warning in the browser, like putting a certificate for *.mydomainofdeath.biz but it's dead if you have several domains on the server.

So here's the solution that explains that even if the OpenSSL lib doesn't support the TLS extension that you need (SNI), on the GNU side it has been supported for 2 years. Here's the long-awaited documentation:

• Documentation on the implementation of multi-SSL with mod_gnutls
• Documentation on enabling multiple HTTPS Sites For one IP using TLS extensions

References

• SSL and Certificates Documentation
• https://www.traduc.org/docs/HOWTO/lecture/SSL-Certificates-HOWTO.html
• Documentation for OpenBSD