NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Technology Knowledge Base - To Technology Knowledge Base - Overview - To Technology Knowledge Base - Server Certificate - This Article you find as well in Support for System Administrators
Creating a Simple Apache Certificate
by Daniel Black
First of all go to the mod_ssl documentation for basic mod_ssl configuration. I will not go into mod_ssl, I'll just try to show you a way to get and install a CAcert certificate.
If you just want a certificate for a single site Apache server this is probably the simplest way to get a CAcert signed certificate. For the more complicated cases please have a look at ApacheServer and VhostsApache.
- These instructions should work with Apache 2.x on Unixes and Windows. Probably also on other systems.
Once Apache is running with mod_ssl you'll have to register the domain component of your webserver (that is "example.org" for the server "www.example.org") with your CAcert account. To do this go to CAcert homepage, log in, click "Domains -> Add" and follow the instructions there. If your Domain is shown as "verified" on "Domains -> Show" you can continue and generate a certificate for your server.
Get openssl if it is not already installed on your system. If you can't find it somewhere else you can try the openssl website for a binary version for Windows.
- Generate a certificate signing request (CSR) using the command:
openssl req -newkey rsa:2048 -subj /CN=<your sever's address here> -nodes -keyout <filename for your private key> -out <filename for the CSR>
For example openssl req -newkey rsa:2048 -subj /CN=www.example.org -nodes -keyout example_key.pem -out example_csr.pem generates a CSR for the server www.example.org in the file example_csr.pem and stores the corresponding private key unencrypted in the file example_key.pem.
Go to CACert, log in, and select "Server certificates -> New". If a Class 3 certificate is available for you I'd advise you to select a Class 3 certificate.
Use Copy/Paste to input your CSR (the content of example_csr.pem in the above example) into the big editor box. Be sure to include the header and footer lines ( -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- ) and check that after the paste operation the request has not been truncated.
Click on "Send" and your certificate will be generated. That is, if you did not make a mistake. If you made one, read the error message, try to understand what it wants to say to you and try again while skipping the mistake.
- Use Copy/Paste with your favourite editor to save the certificate to a file (let's call the file example_cert.pem).
- Move the private key and the certificate to a convenient location. Standard Apache installations provide the directories ssl.key for the private key and ssl.crt for the certificate in the configuration directory. If you want to keep the CSR for later reference (though you probably won't need it anymore) there also is a directory named ssl.csr.
If using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments.
- Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
- Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem SSLCertificateKeyFile <Path to your key file>/example_key.pem SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem .
- This is it. Restart your Apache and see if it works!
Inputs & Thoughts
20091113-RogerCPao
#!/bin/sh wget http://www.cacert.org/certs/root.txt wget http://www.cacert.org/certs/class3.txt cat class3.txt root.txt > CAcert_chain.pem
20091116-Martin N Brampton /e-mail
Thanks a lot, I've figured it out now. Half the problem is that my servers are running with WHM/cPanel and it's hard to see through the fancy stuff to the actual Apache configuration. I've now added the CA certificate to ca-bundle.crt and amended the Apache configuration to point to the bundle. I guess there was no CA certification before. Best regards, Martin
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
Category or Categories