Generate SSL Certificates for Apache

Last change 11/05/2015

If you have a server, you normally have a webiste. Now you might really want to secure it with ssl. WIth services like https://www.cacert.org/ this does not even cost anything. But one thing is still tedious: managing multiple domains and generating a csr (certificate request).

Quickly generate a cerficate

Just copy, paste the script into a .sh file and run it. it will:

  • create a private key for the server (server.cert.key)
  • generate a ssl request (server.cert.csr)
  • create a self-signed certificate (server.cert.crt)

It only asks for the domain name, the rest is defined in the SUBJECT line (there you canset country, state, location and organisation). The main goal of this is to create all you need without requiring any addition use input (except domain name).

You can change the algorithm and strength in the genrsa line. The defaults used should be fine for most.

read -p "Domain Name: " CN
PASS=TEMPpass123$CN
SUBJECT="/C=US/ST=NY/L=BY/O=MY Organisation/CN=$CN"
openssl genrsa -passout pass:$PASS -aes256 -out server.key -f4 2048
# echo  make sure to enter COMMON NAME = HOSTNAME
openssl req -passin pass:$PASS -subj "$SUBJECT" -new -key server.key -out server.csr
echo removing password
cp server.key server.key.org
echo creating key
openssl rsa -passin pass:$PASS -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
echo renaming correctly
mv server.key server.cert.key
mv server.crt server.cert.crt
cat server.cert.crt

Use with apache

Using apache with virtualhost, you simply add the vertificates to the virtualhost entry. Note that the CAcert_chain.pem is only required if you use cacert certficates - with self signed, just comment the SSLCertificateChainFile out.

<VirtualHost *:443>
ServerName www.mydomain.com
ServerAlias mydomain.com
SSLEngine on
SSLCertificateKeyFile /etc/apache2/SSL/mydomain.com/server.cert.key
SSLCertificateFile /etc/apache2/SSL/mydomain.com/server.cert.crt
DocumentRoot /var/www/mydomain/htdocs
</VirtualHost>

Enable SSL in apache

If you havent done so, then you need to enable ssl in apache(it is not enabled per default). To do so just enable the ssl mod (if you are on debian). For other distributions check out the documentation for it (it sometimes requires a runtime parameter in defaults or something similar).

ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
ln -s /etc/apache2/mods-available/ssl.cont /etc/apache2/mods-enabled/ssl.load

Test SSL

Having the webserver talk with ssl, you still might want to check the certificate. The following script does that for you. just run it with the "domain" as parameter:

> ./checkcert www.google.com
subject= /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
notBefore=Apr  9 11:40:11 2014 GMT
notAfter=Jul  8 00:00:00 2014 GMT


#!/bin/sh
#
REMHOST=$1
REMPORT=${2:-443}
echo |
  openssl s_client -connect $REMHOST:$REMPORT 2>/dev/null |
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
  openssl x509 -noout -subject -dates

Site created with Corinis CCM