Something else that I do not do often and have never documented is the install of an SSL certificate on Debian servers for use with Apache / OpenSSL. For this post I am assuming that an existing SSL certificate has been purchased. I use a lot of wildcard certificates for multiple servers rather than a certificate per site / server.
Go to this directory
# cd /etc/ssl/private/
By default there is a self-signed certificate key ssl-cert-snakeoil.key in the directory
This directory is restricted to root user and ssl-cert group.
Using an existing certificate, key, and intermediate certificate, create a file for each in the same directory.
Change the relevant ownership
# chown root:ssl-cert *
and change the access
#chmod 640 *
This should provide something like:
/etc/ssl/private# ls -la drwx--x--- 2 root ssl-cert 4096 Apr 14 12:12 . drwxr-xr-x 4 root root 4096 Mar 28 08:41 .. -rw-r----- 1 root ssl-cert 1589 Apr 14 12:11 mydomain-intermediate.crt -rw-r----- 1 root ssl-cert 1704 Mar 20 23:25 ssl-cert-snakeoil.key -rw-r----- 1 root ssl-cert 2049 Apr 14 12:10 mydomain-cert.crt -rw-r----- 1 root ssl-cert 1678 Apr 14 12:13 mydomain-key.key
Ok, now off to the Apache config
# cd /etc/apache2/sites-available/
and edit the site file that is relevant so that the Virtual Host *:443 section includes the correct paths to the above certificate files
# Example SSL configuration SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCertificateChainFile "/etc/ssl/private/mydomain-intermediate.crt" SSLCertificateFile "/etc/ssl/private/mydomain-cert.crt" SSLCertificateKeyFile "/etc/ssl/private/mydomain-key.key"
If there is no Virtual Host *:443 section then there should be an existing VirtualHost *:80 for the website and this can be copied / duplicated in the same file, just change the port in the copy from 80 to 443 and insert the above Example SSL lines at the bottom of the new section above the closing tag.
If Apache is a fresh install it may not have SSL enabled
Test Apache syntax
#service apache2 restart
depending on what you need for existing sites on the server.