Most of you people probably run a webserver for example a webaccess server. Apache default uses a self-singed SSL certificate who is created during installation of Apache.
Disadvantage is that when people access you secure website they get a error that the certificate cannot be validated because of a untrusted Certificate Authority (CA). This does not mean the site isn’t secure, you know that, I know that, but for normal users it looks that you company doesn’t have a secure site.
In Internet Explorer 8 there is a new security feature who is enabled by default that for every new windows what is opened the user has to accept the certificate. This is really annoying with for example a webaccess where you open a Email in a new Window. By the way with Firefox you don’t have this problem after you ones accepted the certificate during a session.
So how can we solve this? Simple by getting a valid SSL certificate. So I looked how to implement a certificate provided from Godaddy.com.
I chose a so called “Standard (Turbo) SSL for 1 Year who costs around 27 dollars a year.
In this post I assumed you all ready have a working Apache with a self-signed SSL certificate who we are going to replace.
Step 1 is to create a certificate request from the webserver. Log in a root and give the command:
openssl genrsa -des3 -out server.key 2048
You are asked for a pass phrase. This is to encrypted this private certificate.
Step 2 is to create a request file who you are going to use to get a valid certificate. Give the command:
openssl req -new -key server.key -out server.csr
You are asked a couple of questions, make sure that where Common Name is asked you provide the FDN for your website.
#openssl req -new -key blog.wilmsenit.nl -out blog.wilmsenit.nl.csr
Enter pass phrase for blog.wilmsenit.nl:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:NB
Locality Name (eg, city) :Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WilmsenIT
Organizational Unit Name (eg, section) :IT Department
Common Name (eg, YOUR name) :blog.wilmsenit.nl
Email Address :firstname.lastname@example.org
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :password
An optional company name :WilmsenIT
Now you have a so called .csr file who we are going to use for the request of our certificate.
Go to the Godaddy website a buy the certificate. When you have bought the certificate you can go to the SSL page and click on the certificate. Now you are asked for the the content of the csr file we created. Just do a cat of the file and copy paste the content into the screen. After this follow the instructions on the screen.
Now your request is pending. After a while (this can take 2 until 24 hours) a email will be sent to the administrator of the domain where we requested the SSL certificate for. You can check this on every WHOIS database. In this Email a validation link is provided. If you click on that link you accepted the request for the certificate.
After validation you can download the certificate file. When doing so, you are asked where you want to use this certificate. In our case Apache.
In the zip file we have downloaded are to files:
Copy these files to /etc/apache2/ssl.crt
We also have to copy the server.key file we created earlier to /etc/apache2/ssl.key
Now we have to adjust the vhost-ssl.conf file in /etc/apache2/vhost.d for using these files.
Make sure the following lines look like:
- SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
- SSLCertificateChainFile /etc/apach2/ssl.crt/gd_bundle.crt
- SSLCertificateFile /etc/apache2/ssl.crt/server.crt
Save the file and restart your apache by /etc/init.d/apache2 restart
You are asked for the pass phrase we entered earlier in this section. This is because of security reasons. If you don’t want to provide this pass phrase do the following:
- Go to /etc/apache2/ssl.key directory
- save the original file: cp server.key server.key.org
- Give the command: openssl rsa -in server.key.org -out server.key
- restart your apache
Now you don’t have to provided the pass phrase any more.