Tuesday, February 7, 2006

Apache 2 + SSL with CAcert.org certificates

Create a private key, eg for www.rrfx.net:
cd /etc/apache2/ssl
openssl genrsa -out www-rrfx-net.key 1024
Generate a certificate signing request:

openssl req -new -key www-rrfx-net.key -out www-rrfx-net.csr

Hit enter a bunch of times, CAcert.org will strip all but the Common name if you're not verified (like me):

Common Name (eg, YOUR name) []: www.rrfx.net
Just leave the challenge password blank:

cat www-rrfx-net.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBnDCCA/-----8<------8<------/eX9tCrqSyJo
-----END CERTIFICATE REQUEST-----

Visit http://cacert.org
Make sure your domain has been added: Domains -> View/Add
Request your certificate: Server Certificates -> New -> Paste the contents of your certificate request (eg www.rrfx.net.csr)
CACert will then generate a certificate. Paste this into /etc/apache2/ssl:

nano www-rrfx-net.cert
(paste)

In the Apache2 virtualhost section. Make sure the virtualhost is listening on *.443:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www-rrfx-net.cert
SSLCertificateKeyFile /etc/apache2/ssl/www-rrfx-net.key
SSLOptions +OptRenegotiate

and wherever you need to enforce SSL:

SSLRequireSSL

Make sure clients import the CAcert.org root certificate:
https://www.cacert.org/index.php?id=3

No comments:

Post a Comment