Set up a SSL certificate with Debian (step by step tutorial)
This is how about to set up a SSL certificate on your server and running with it, using apache 2.4 on Debian GNU/Linux.
All of the following tasks are done as root, from the command line:
- change to the /etc/apache/ssl directory (note, this might be Debian specific):
- create a private key:
openssl genrsa -out supersecret.key 4096
- generate a certificate request from that key:
openssl req -key supersecret.key -new
Answer the questions as follows (hit Enter after each answer):
Country Code: (see: https://www.iso.org/obp/ui/#search)
State or Province: I put the province I live in
Locality name: I put the city I live in
Organization Name: I put a dot (period) which leaves the entry blank
Organizational Unit: I put a dot
Common Name: I put the fully qualified name of my server.
Email Address: I put my email address
challenge password: I left this blank
optional company name: I left this blank
This generates a certificate request, and displays it on the screen. Copy and paste it into the Server Certificates - New form.
- CACert will then generate a certificate. Copy and paste this to a file on the server. Because I'm using debian, the proper location for this file is:
- Save the certificate as a file in that directory called myserver.crt
- Next, download the intermediate certificate from CACert: and save it in the same directory (/etc/apache2/ssl). Also, download the CACert Class 1 certificate and save it in the same directory.
- Combine the secret key, your server's certificate, and the intermediate and root certificates into one file:
cat supersecret.key myserver.crt class3.crt root.crt > myserver.pem
- Change the permissions so nobody else can read that pem file:
chmod 600 myserver.pem
NOTE: This is for Apache greater than version 2.4.8. If you have an older version, the intermediate and root certificates go in a separate file called the chain file.
- Edit the apache ssl config file (/etc/apache2/sites-available/default-ssl.conf) (again, this is Debian-specific), and specify the SSLCertificateFile location.
NOTE, if you would prefer to not put the secret key in the pem file, specify the SSLCertificateKeyFile as well. I prefer to keep everything all together in one pem file. If you are using Apache less than 2.4.8, specify the chain file that includes the CACert intermediate and root certificates with SSLCertificateChainFile.
- Enable the ssl site:
- Restart Apache
That's it, now your server is up and running with a SSL certificate from CACert.org.
Here's a similar tutorial for Ubuntu: https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04