TurnKey Linux Virtual Appliance Library

Self signed and trusted SSL certificates

Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.

HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:

TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.

Authoritatively signed certificates

Cost

Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.

Generate key and CSR

First up is to create a certificate key and a certificate signing request (CSR). This can be done with OpenSSL.

apt-get update
apt-get install openssl

# replace bold type with your info
openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr -keyout www_example_com.key -subj "/C=US/ST=Arizona/L=Scottsdale/O=Example Company Inc./CN=www.example.com"

Submit the CSR

The above will generate two files, www_example_com.key and www_example.com.csr.

Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.

Verify the request

The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.

Further steps may be required when requesting an Extended Validation (EV) certificate, which color the address bar green in recent browsers.

Download signed certificate

After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).

Note: you should make a backup of all SSL related files.

Generate PEM and placement

Generate the pem from the key and crt

cat www_example_com.key www.example.com.crt > cert.pem

Place the generated pem and intermediate bundle (eg. bundle.crt) in /etc/ssl/certs/, and make them read-only to root.

chown root:root *.pem *.crt
chmod 400 *pem *.crt

Update configuration, enable SSL and reload webserver

Apache configuration

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/cert.pem
    SSLCertificateChainFile /etc/ssl/certs/bundle.crt
</VirtualHost>
a2enmod ssl
/etc/init.d/apache2 force-reload


Lighttpd configuration

/etc/lighttpd/conf-available/10-ssl.conf 
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/cert.pem"
    ssl.ca-file = "/etc/ssl/certs/bundle.crt"
}
lighty-enable-mod ssl
/etc/init.d/lighttpd force-reload


Do you use an authoritatively signed certificate? Is self-signed sufficient? Leave a comment!

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Comments

StartSSL free certs

If you are using an SSL certificate for testing, http://www.startssl.org/ offers free certificates that are authorititavely signed.  You have to pay for certs that you use for e-commerce and secure transactions, but for testing, their free certs work very well.

http://UnmeteredVPS.net/tkl
Try our TurnKey Linux appliance hosting FREE!

Alon Swartz's picture

Free certificate for open source projects

Thanks for the link Neil, I'm sure people will find it useful. I noticed that Go Daddy also offers a free one-year Standard SSL Certificate to open source projects. I wonder what happens when your year is up?

I assume the GoDaddy cert

I assume the GoDaddy cert will expire in 1 year and you have to pay for renewal or get a different cert.

I have used the StartSsl certs for non open-source projects so that is an advantage there.

http://UnmeteredVPS.net/tkl
Try our TurnKey Linux appliance hosting FREE!

need opensource CA

in case if i don't wanna pay to any thirdpary for CA what can i do then?

Jeremy's picture

Wikipedia has a couple of suggestions

here but i haven't tested any of them. If you try some feedback may be useful for others.

Also Google turned up a old Slashdot story with a couple of ideas, although they may be out of date? (And aren't actually open source).

Update configuration, enable SSL and reload webserver

I'm not clear on how to update the apache configuration file.  Which file do I edit? and how do I edit it? I'm assuming that I would need to modify the:/etc/apache2/sites-available/default file is that right? If so, then how/what do I replace it in the file.

Thanks

Problem with virtual host and ssl certificate

Hello people,

Anyone can help configuring an ssl certificate for a virtual host? I made all the configuration folowing those instructions and my virtual host keeps me providing me the selfsigned certificate from turnkey, even if a configure a dedicate ip address for tha site. Any ideas?

I'll be very glad if someone can help me :)

 

Regards

Ariel

Alon Swartz's picture

Did you restart the webserver?

Try restarting the webserver so changes take effect.

Which config file?

If I already have a site up and running using the Turnkey LAMP stack, which Apache config file should I be editing?

If I edit the default one won't those changes only show on new virtual hosts not existing ones?

L. Arnold's picture

My 2 Step and 2 Bits on SSL Certs

To answer your question at the end:  Do you use an authoritatively signed certificate? Is self-signed sufficient?

I tend to use the SSL Generated Certs for Webmin, WebShell and PHPMyAdmin.  If I need SSL for a Public site I have been finding $10 certs recently on Comodo and getting irritated when they try to renew for $50..  I think I found a good alternative that seems more "ong term in it price offering just now at:

www.namecheap.com

They have good pricing on Domain Registrations as well though I like Tucows for that.

1 and 2 year SSL certs for less than $10 a year (even 3  years if you want to avoid the hassle).

That was the Hard Work.  The next part was just refresh/repeat from previous cert installs.

Run the process outlined in the great blog post above to generate the CSR (Certificate Signing Request).. For me this is easiest in Webmin because I can Copy Paste then edit before submitting look in your root directory to find it, then move it with the the Certs you are Generating to etc/ssl/private (or a folder of your choice).

Generally you need to take 2 Certs (the primary cert and the intermediate cert and copy them into new files  --

In Apache - Go to Edit Directives under your 443 Port.  The following is my general format calling out .cert (or .crt) .key and intermediate.cert :

SSLEngine on
SSLCertificateFile /etc/ssl/private/www_myweb_net.cert
    ServerAdmin  webmaster@localhost
DocumentRoot /var/www/TURNKEYAPPFOLDER/
SSLCertificateKeyFile /etc/ssl/private/www_myweb_net.key
SSLCACertificateFile //etc/ssl/private/www_myweb_inter_ca.cert

ServerName www.myweb.net

In fact I am here posting because I needed to get the script again to generate a CSR and it was about as easy a SSL install as I have done...  Templates are the key...  and avoid Comodo's Bait and Switch.  GeoTrust seems, to me anyway, the more reputable SSL provider.

Can't start apache after trying to use startssl cert

 

Hello, I have been trying to get a startssl.com free cert to work, but i am running into this error after trying to follow the steps outlined in the blog, and the comment by mr Arnold.
 
[Fri Jan 13 23:30:47 2012] [error] Init: Unable to read server certificate from file /etc/ssl/certs/certfile.pem
[Fri Jan 13 23:30:47 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Jan 13 23:30:47 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
 
Any idea what could be causing this? I have tried loading the cert on my windows 7 machine, and it seems to be working nicely there.

Using Startcom SSL free cert working nicely!

The problem in my above post was that the generated .pem file was not the correct one to use, rather one should use the .crt file itself.

Startcom had just the info needed on their site:
http://www.startssl.com/?app=21

SSL directives:

   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /usr/local/apache/conf/ssl.crt
   SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
   SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
   SSLCACertificateFile /usr/local/apache/conf/ca.pem
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

 

I also found the next solution i needed on their blog: That there is no real use in having a passphrase on the key file, so it should be decrypted.
https://forum.startcom.org/viewtopic.php?f=15&t=148

Now it works as it should, thanks!

Jeremy's picture

Thanks for posting back with your info

I'm sure others will find your discovery useful.

What is the most affordable SSL certificate option?

I think the cheapest out there is StartSSL which gives you the first year free and charges you A LOT in the 2nd year...

Godaddy is reasonable but has bad customer service and is a hassle to install.

I would recommend SSL.com certificate because of their customer service and affordable rates.  Go for the FREE 90 days trial first and test them out.  Then, get their cheapest certificate (DV) every year.  Worth it, especially when you go through the process of actually installing the certificate.

Free SSL Certificate

Hi,

StartSSL.com Is not working for my website www. comingsoonlive.com what to do?

Can anyone help me out how to configure.

 

Waiting for your reply???

Free SSL Certificate

I got mine Free SSL certificate from rapidsslonline.com and It was too easy to configure...!

self signed ssl certificate warning - not going

 

Hi all,

Can any please help me with the configuration of an ssl certificate loaded on a virtual server.

I made the below configurations however  the virtual server keeps on providing the selfsigned certificate warning from turnkey.  

 

Would appreciate if some Linux expert(s) can help me with this on priority. Thanks in advance...

 

 


Lighttpd configuration

	/etc/lighttpd/conf-available/10-ssl.conf 
$SERVER["socket"] == "0.0.0.0:443" {
    ssl.engine  = "enable"
    ssl.pemfile = "/etc/ssl/certs/cert.pem"
    ssl.ca-file = "/etc/ssl/certs/bundle.crt"
}
	lighty-enable-mod ssl
	/etc/init.d/lighttpd force-reload

 

 

 

JN

Moved to paid SSL

After trying StartSSL and Comodo's Free SSL certificate for 3 months I finally bought a GeoTrust RapidSSL cert for my little mailserver ( got it for EUR 8.76 at http://www.sslpoint.com ).

The only part I did forget was to install the intermediate certificate - and so got an error message in Thunderbird. After adding the follwoing line in Postfix the problem was solved and now the SSL certificate is working smoothly (even on my Samsung android mail app):

smtpd_tls_CAfile = /etc/ssl/certs/ca_rapidssl.crt

How do I configure this for Port 12321 or some other port?

I purchased a UCC certificate and have it running on three domains on a LAMP server on port 443.  That part works fine.  One of the server names corresponds to the Webmin installation I have on the machine.  How do I configure port 12321 (or 8080 in my case, I changed it) to use the SSL certificate?  I tried adding:

 

<VirtualHost *:8080>
 ServerName manager.mydomain.com
 DocumentRoot /var/www/
 SSLEngine on
        SSLCertificateFile /etc/ssl/certs/cert.pem
        SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
</VirtualHost>

to a site-available .conf file, but I still get the scary error message.  Any suggestions?

Self Signed Certificate

Dear Team,

Can i create self signed certificate without an3rd party CA. Bcoz i make self sign certificate but when open website it says croess https://

If yes plese suggest.

 

If No please the way farward.

 

Regards

Sapna Singh

Certificate error

I am trying to install a Godaddy cert and I am having issues with mobile browsers reporting the certificate is not trusted. I believe this is due to the Intermediate certificate.  I make most of the changes through the webmin interface. For Virtual Host on port 443 I have SSL on with the cert and certificate authorities file fields filled in with paths to the files - cert.pem and bundle.crt. When I apply/stop/start apache these directives are updated in the global config.

<VirtualHost *:443>

SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateChainFile /etc/ssl/certs/bundle.crt
SSLCACertificateFile /etc/ssl/certs/bundle.crt

</VirtualHost>

 

I am still receiving the error on some mobile browsers. What am I doing wrong?

 

Thank You

Apachee wont start, help

I am getting the following messages after I paste my CRT and KEY in the Webmin > SSL Encrytion > Upload Certificate ... Questions: What can I do to revert back to the default? I dont want to reinstall all the time.

  • I have done this on 3 fresh installs and after a reboot Apachee will not restart
  • Is there a way to "reset" (aka back to normal) so that it can just use the default certificates
  • Is Webmin the problem? Do I have to use the command line to edit Apachee2 conf files?

 

[Fri May 16 13:19:33 2014] [error] Init: Unable to read server certificate from file /etc/ssl/certs/cert.pem
[Fri May 16 13:19:33 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 16 13:19:33 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri May 16 13:21:32 2014] [error] Init: Unable to read server certificate from file /etc/ssl/certs/cert.pem
[Fri May 16 13:21:32 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri May 16 13:21:32 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri May 16 13:22:20 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:24:28 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:25:13 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
[Fri May 16 13:55:19 2014] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
L. Arnold's picture

There is normally more than pasting a certificate and key in...

I have never used Webmin to fill in cert and key, specifically, so I don't know the situation specifically you have,  but my feeling is that you don't need a customized cert for webmin or webshell.  You are the only one normally logging in and you can always accept the self-signed or built in cert.

Where you want a custom cert is on the outward pointing system/web site etc.  Above I noted how I normally install a cert in the post titled  "My 2 Step and 2 Bits on SSL Certs" .  Specifically there you need to get your key, cert, and trusted authority certs all be installed.  I do that through Webmin, but functionally as a series of "text edits" in the APACHE SERVER SETUP in Webmin - or directly in Webshell.

When you do this the cert will move forward with TKLBAM backups and restores and you will only have to update the setup when your certificate (or certificates) expire.

Hope this helps -  again, see the post above titled.  You are Setting these settings within APACHE in Webmin normally as opposed to the whole install.

My 2 Step and 2 Bits on SSL Certs

Using Apple trusted certificates for https

As an iOS developer, I own a number of trusted certificates by Apple, including those conencted to remote notifications. Is it possibile to use them in the Apache https configuration to get rid of the warning on web sites, and how to do it?

Jeremy's picture

TBH I have no idea...

But it's possible I guess. Have you tried following the tutorial to see if it works?

I guess another good option might be to ask Apple themselves (or on Apple support forums or something?) and if so how you might go about it...

Re:Using Apple trusted certificates for https

Yes! Its possible to get ride of those security warning on web sites by making certain modification on Apache HTTPS Configuration, but in order to do that you must have SSL certificate from trusted CA!

I have drafted tutoril on this but its all about Apple Mac OS X Server! I wish, It could help you and guide you!

See more here; http://goo.gl/NKtmhR

Thanks, yet  I would need to

Thanks, yet  I would need to use it on a Centos linux server to certify it, not on a mac server. Can I use the same certificate even there?

Jeremy's picture

Bad forum etiquette - totally off topic

Initially I thought your thread hijack was somewhat legitimate (I thought you were referring to using an Apple provided cert on a TurnKey appliance). But now we're totally off topic talking about OSX servers and CentOS. These are the TurnKey Linux (Debian based software appliances) forums. Please take your discussion somewhere more appropriate. At least have the courtesy to start your own thread rather than hijacking someone else's and taking it completely off topic...

I did not note when I went

I did not note when I went off-topic. I still need a trusted certificate for my centOS Apache server to get rid of the warning, and I wondered whether I could use the ones I already use for my Apple remote notifications.

Inviato da iPad

> Il giorno 27/nov/2014, alle ore 21:31, TurnKey GNU/Linux <admin@turnkeylinux.org> ha scritto:

Jeremy's picture

Perhaps ask on the CentOS forums...?

Perhaps ask on the CentOS forums...?

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)