Generate SSL Certificates for Apache

Last change 11/05/2015

If you have a server, you normally have a webiste. Now you might really want to secure it with ssl. WIth services like this does not even cost anything. But one thing is still tedious: managing multiple domains and generating a csr (certificate request).

Quickly generate a cerficate

Just copy, paste the script into a .sh file and run it. it will:

  • create a private key for the server (server.cert.key)
  • generate a ssl request (server.cert.csr)
  • create a self-signed certificate (server.cert.crt)

It only asks for the domain name, the rest is defined in the SUBJECT line (there you canset country, state, location and organisation). The main goal of this is to create all you need without requiring any addition use input (except domain name).

You can change the algorithm and strength in the genrsa line. The defaults used should be fine for most.

read -p "Domain Name: " CN
SUBJECT="/C=US/ST=NY/L=BY/O=MY Organisation/CN=$CN"
openssl genrsa -passout pass:$PASS -aes256 -out server.key -f4 2048
# echo  make sure to enter COMMON NAME = HOSTNAME
openssl req -passin pass:$PASS -subj "$SUBJECT" -new -key server.key -out server.csr
echo removing password
cp server.key
echo creating key
openssl rsa -passin pass:$PASS -in -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
echo renaming correctly
mv server.key server.cert.key
mv server.crt server.cert.crt
cat server.cert.crt

Use with apache

Using apache with virtualhost, you simply add the vertificates to the virtualhost entry. Note that the CAcert_chain.pem is only required if you use cacert certficates - with self signed, just comment the SSLCertificateChainFile out.

<VirtualHost *:443>
SSLEngine on
SSLCertificateKeyFile /etc/apache2/SSL/
SSLCertificateFile /etc/apache2/SSL/
DocumentRoot /var/www/mydomain/htdocs

Enable SSL in apache

If you havent done so, then you need to enable ssl in apache(it is not enabled per default). To do so just enable the ssl mod (if you are on debian). For other distributions check out the documentation for it (it sometimes requires a runtime parameter in defaults or something similar).

ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
ln -s /etc/apache2/mods-available/ssl.cont /etc/apache2/mods-enabled/ssl.load

Test SSL

Having the webserver talk with ssl, you still might want to check the certificate. The following script does that for you. just run it with the "domain" as parameter:

> ./checkcert
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/
notBefore=Apr  9 11:40:11 2014 GMT
notAfter=Jul  8 00:00:00 2014 GMT

echo |
  openssl s_client -connect $REMHOST:$REMPORT 2>/dev/null |
  openssl x509 -noout -subject -dates

Site created with Corinis CCM