Self signed and trusted SSL certificates
By Alon Swartz - 13 comments | Latest by Jeremy (aka JedMe...Keeping it simple, HTTPS is a combination of the HTTP and SSL/TLS protocols, which provides encryption while authenticating the server. The main idea is to create a secure channel over an insecure network, ensuring "reasonable" protection from eavesdroppers and man-in-the-middle attacks.
HTTPS assumes that special CA (Certificate Authority) certificates are pre-installed in web browsers. If your SSL certificate is not signed by one of these CA's, the browser will display a warning:
TurnKey appliances generate self signed certificates on first boot to provide an encrypted traffic channel, but because the certificates are not signed by a trusted CA, the warning is displayed. In most cases, this is acceptable. If it's not, go get a signed certificate.
Authoritatively signed certificates
Cost
Authoritatively signed certificates can be costly, for example, Verisign (the most well known CA) charges $1,499 per year for their recommended certificate. There are cheap alternatives (I recently purchased a certificate from Go Daddy for $12.99) as well as a couple of free providers.
Generate key and CSR
First up is to create a certificate key and a certificate signing request (CSR). This can be done with OpenSSL.
apt-get update apt-get install openssl # replace bold type with your info openssl req -new -newkey rsa:2048 -nodes -out www_example_com.csr -keyout www_example_com.key -subj "/C=US/ST=Arizona/L=Scottsdale/O=Example Company Inc./CN=www.example.com"
Submit the CSR
The above will generate two files, www_example_com.key and www_example.com.csr.
Once you have signed up for an authoritatively signed certificate, you will be requested to upload the CSR file or its contents.
Verify the request
The signing authority will need to verify the validity of the request and that it was submitted by the entity to which the domain in the request is registered, usually done by contacting the administrative contact for the domain.
Further steps may be required when requesting an Extended Validation (EV) certificate, which color the address bar green in recent browsers.
Download signed certificate
After validation, your signed certificate (crt) will be available for download. Most likely your signing authority will include an intermediate CA certificate bundle (trust chain).
Note: you should make a backup of all SSL related files.
Generate PEM and placement
Generate the pem from the key and crt
cat www_example_com.key www.example.com.crt > cert.pem
Place the generated pem and intermediate bundle (eg. bundle.crt) in /etc/ssl/certs/, and make them read-only to root.
chown root:root *.pem *.crt chmod 400 *pem *.crt
Update configuration, enable SSL and reload webserver
Apache configuration
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
SSLCertificateChainFile /etc/ssl/certs/bundle.crt
</VirtualHost>
a2enmod ssl
/etc/init.d/apache2 force-reload
Lighttpd configuration
/etc/lighttpd/conf-available/10-ssl.conf
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/certs/cert.pem"
ssl.ca-file = "/etc/ssl/certs/bundle.crt"
}
lighty-enable-mod ssl
/etc/init.d/lighttpd force-reload
Do you use an authoritatively signed certificate? Is self-signed sufficient? Leave a comment!
News and Security Announcements
Categories
Recent posts
-
1st Feb, 2012
-
16th Jan, 2012
-
30th Dec, 2011
-
29th Dec, 2011
-
6th Dec, 2011
- 1 of 23
- ››
Recent comments
Archive
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (4)
- October 2011 (3)
- September 2011 (3)
- August 2011 (3)
- July 2011 (3)
- June 2011 (4)
- May 2011 (5)
- April 2011 (5)
- March 2011 (6)
Comments
StartSSL free certs
If you are using an SSL certificate for testing, http://www.startssl.org/ offers free certificates that are authorititavely signed. You have to pay for certs that you use for e-commerce and secure transactions, but for testing, their free certs work very well.
http://UnmeteredVPS.net/tkl
Try our TurnKey Linux appliance hosting FREE!
Free certificate for open source projects
I assume the GoDaddy cert
I assume the GoDaddy cert will expire in 1 year and you have to pay for renewal or get a different cert.
I have used the StartSsl certs for non open-source projects so that is an advantage there.
http://UnmeteredVPS.net/tkl
Try our TurnKey Linux appliance hosting FREE!
need opensource CA
in case if i don't wanna pay to any thirdpary for CA what can i do then?
Wikipedia has a couple of suggestions
here but i haven't tested any of them. If you try some feedback may be useful for others.
Also Google turned up a old Slashdot story with a couple of ideas, although they may be out of date? (And aren't actually open source).
Update configuration, enable SSL and reload webserver
I'm not clear on how to update the apache configuration file. Which file do I edit? and how do I edit it? I'm assuming that I would need to modify the:
/etc/apache2/sites-available/defaultfile is that right? If so, then how/what do I replace it in the file.Thanks
Problem with virtual host and ssl certificate
Hello people,
Anyone can help configuring an ssl certificate for a virtual host? I made all the configuration folowing those instructions and my virtual host keeps me providing me the selfsigned certificate from turnkey, even if a configure a dedicate ip address for tha site. Any ideas?
I'll be very glad if someone can help me :)
Regards
Ariel
Did you restart the webserver?
Try restarting the webserver so changes take effect.
Which config file?
If I already have a site up and running using the Turnkey LAMP stack, which Apache config file should I be editing?
If I edit the default one won't those changes only show on new virtual hosts not existing ones?
My 2 Step and 2 Bits on SSL Certs
To answer your question at the end: Do you use an authoritatively signed certificate? Is self-signed sufficient?
I tend to use the SSL Generated Certs for Webmin, WebShell and PHPMyAdmin. If I need SSL for a Public site I have been finding $10 certs recently on Comodo and getting irritated when they try to renew for $50.. I think I found a good alternative that seems more "ong term in it price offering just now at:
www.namecheap.com
They have good pricing on Domain Registrations as well though I like Tucows for that.
1 and 2 year SSL certs for less than $10 a year (even 3 years if you want to avoid the hassle).
That was the Hard Work. The next part was just refresh/repeat from previous cert installs.
Run the process outlined in the great blog post above to generate the CSR (Certificate Signing Request).. For me this is easiest in Webmin because I can Copy Paste then edit before submitting look in your root directory to find it, then move it with the the Certs you are Generating to etc/ssl/private (or a folder of your choice).
Generally you need to take 2 Certs (the primary cert and the intermediate cert and copy them into new files --
In Apache - Go to Edit Directives under your 443 Port. The following is my general format calling out .cert (or .crt) .key and intermediate.cert :
In fact I am here posting because I needed to get the script again to generate a CSR and it was about as easy a SSL install as I have done... Templates are the key... and avoid Comodo's Bait and Switch. GeoTrust seems, to me anyway, the more reputable SSL provider.
Can't start apache after trying to use startssl cert
Using Startcom SSL free cert working nicely!
The problem in my above post was that the generated .pem file was not the correct one to use, rather one should use the .crt file itself.
Startcom had just the info needed on their site:
http://www.startssl.com/?app=21
SSL directives:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/apache/conf/ssl.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key
SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/apache/conf/ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
I also found the next solution i needed on their blog: That there is no real use in having a passphrase on the key file, so it should be decrypted.
https://forum.startcom.org/viewtopic.php?f=15&t=148
Now it works as it should, thanks!
Thanks for posting back with your info
I'm sure others will find your discovery useful.
Post new comment