# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.key -out domain.crt # mv domain.* /etc/ssl/private
Modify or create the config file for the virtual host in /etc/apache2/sites-available:
<VirtualHost *:443> DocumentRoot /var/www/website ServerName www.domain.com SSLEngine on SSLCertificateFile /home/user/ssl/domain.crt SSLCertificateKeyFile /home/user/ssl/domain.key # add the certificate chain file if using a class 3 certificate only SSLCertificateChainFile /home/user/ssl/chain.crt </VirtualHost>
Note that Windows 8 phones cannot establish SSL connections via Webdav through self-issued certificates.
CAcert is aimed at providing SSL certificates to the community with no or little charges. The following instruction is taken from Creating a Simple Apache Certificate
First of all go to the mod_ssl documentation for basic mod_ssl configuration. I will not go into mod_ssl, I'll just try to show you a way to get and install a CAcert certificate.
If you just want a certificate for a single site Apache server this is probably the simplest way to get a CAcert signed certificate. For the more complicated cases please have a look at ApacheServer and VhostsApache.
Once Apache is running with mod_ssl you'll have to register the domain component of your webserver (that is “example.org” for the server “www.example.org”) with your CAcert account. To do this go to CAcert homepage, log in, click “Domains → Add” and follow the instructions there. If your Domain is shown as “verified” on “Domains → Show” you can continue and generate a certificate for your server.
Generate a certificate signing request (CSR) using the following commands:
openssl genrsa -out domain.key 4096 openssl req -new -key domain.key -out domain.csr
While openssl script is running, fill the questions with appropiate answers
|| '''OpenSSL question''' || '''Sample Answer''' || '''Remarks''' || || Country Name (2 letter code) [DE]: || AU ||<#ff8080> will be stripped later || || State or Province Name (full name) [Some-State]: || NSW, AU ||<#ff8080> will be stripped later || || Locality Name (eg, city) []: || Sydney ||<#ff8080> will be stripped later || || Organization Name (eg, company) [Internet Widgits Pty Ltd]: || @home ||<#ff8080> will be stripped later || || Organizational Unit Name (eg, section) []: || ||<#ff8080> will be stripped later || || Common Name (e.g. server FQDN or YOUR name) []: || testserver3.mydomain.tld ||<#00FF00> will be extracted and checked later || || Email Address []: || mycacertaccount.primary.email ||<#00FF00> will be extracted and checked later || ||<-3> Please enter the following 'extra' attributes || ||<-3> to be sent with your certificate request || || A challenge password []: || || || || An optional company name []: || || ||
Go to CACert, log in, and select “Server certificates → New”. If a Class 3 certificate is available for you I'd advise you to select a Class 3 certificate, which is a more secure subset of the Class 1 certificate.
Use Copy/Paste to input your CSR (the content of 'domain.csr
' in the above example) into the big editor box. Be sure to include the header and footer lines and check that after the paste operation the request has not been truncated.
Click on “Send” and your certificate will be generated. That is, if you did not make a mistake. If you made one, read the error message, try to understand what it wants to say to you and try again while skipping the mistake. ;)
Use Copy/Paste with your favourite editor to save the certificate to a file (let's call the file domain.crt).
Move the private key and the certificate to a convenient location, for example directory ssl in your home.
If using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it here.
Store the certificate chain file in the ssl directory and let's call it cacert.chain for future reference.
Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
Modify or create the config file for the virtual host in /etc/apache2/sites-available:
<VirtualHost *:443> DocumentRoot /var/www/website ServerName www.domain.com SSLEngine on SSLCertificateFile /home/user/ssl/domain.crt SSLCertificateKeyFile /home/user/ssl/domain.key # add the certificate chain file if using a class 3 certificate only #SSLCertificateChainFile /home/user/ssl/chain.crt </VirtualHost>
This is it. Restart your Apache and see if it works! Click the SSL Certificate Checker to check whether the certificate is properly installed.
To renew the certificate of an existing Apache configuration, you need to renew the certificate through the CAcert web interface, and then replace the existing certificate (in this example, `/home/user/ssl/domain.crt`) with the new certificate provided.
Go to Comodo and follow the instructions to issue a free certificate which is valid for 3 months. The steps are equivalent to the guide below to install a PositiveSSL certificate.
openssl genrsa -out domain.key 2048 openssl req -new -key domain.key -out domain.csr
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chain.crt
<VirtualHost *:443> DocumentRoot /var/www/website ServerName www.domain.com SSLEngine on SSLCertificateFile /home/user/ssl/domain.crt SSLCertificateKeyFile /home/user/ssl/domain.key SSLCertificateChainFile /home/user/ssl/chain.crt </VirtualHost>
Make sure to issue the following command to activate mod_ssl for apache:
# a2enmod ssl