Difference between revisions of "Internal Installing Apache SSL Certs"

• Load StartSSL trusted login cert into browser (Located on Password Gorilla)
• Login and choose the certificate wizard (verify domain if required)
• Skip automatic cert generation in the wizard
• SSH into the server and run in /etc/ssl

wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

• Generate the request

openssl req -new -newkey rsa:2048 -nodes -keyout fqdn.key -out fqdn.csr

• Set the server domain name for CN
• Copy server.csr into StartSSL's Cert Wizard
• Wait for verification (check support mailing list)
• Follow the instructions in the email and create fqdn.crt
• Rename the fqdn.key and fqdn.crt to the common name
• Modify /etc/ssl/apache.conf to read like this

SSLEngine On
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateChainFile /etc/ssl/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/ca.pem
SSLCertificateFile /etc/ssl/certs/fqdn.crt
SSLCertificateKeyFile /etc/ssl/private/fqdn.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

• Restart the apache server daemon

/etc/init.d/apache2 restart

Notes

Copy the private key to Password Gorilla