Debian Install SSL Certificates for Apache OpenSSL

Something else that I do not do often and have never documented is the install of an SSL certificate on Debian servers for use with Apache / OpenSSL. For this post I am assuming that an existing SSL certificate has been purchased. I use a lot of wildcard certificates for multiple servers rather than a certificate per site / server.

Go to this directory

[text]# cd /etc/ssl/private/[/text]

By default there is a self-signed certificate key ssl-cert-snakeoil.key in the directory

This directory is restricted to root user and ssl-cert group.

Using an existing certificate, key, and intermediate certificate, create a file for each in the same directory.

Change the relevant ownership

[text]# chown root:ssl-cert *[/text]

and change the access

[text]#chmod 640 *[/text]

This should provide something like:

[text]

/etc/ssl/private# ls -la
drwx–x— 2 root ssl-cert 4096 Apr 14 12:12 .
drwxr-xr-x 4 root root     4096 Mar 28 08:41 ..
-rw-r—– 1 root ssl-cert 1589 Apr 14 12:11 mydomain-intermediate.crt
-rw-r—– 1 root ssl-cert 1704 Mar 20 23:25 ssl-cert-snakeoil.key
-rw-r—– 1 root ssl-cert 2049 Apr 14 12:10 mydomain-cert.crt
-rw-r—– 1 root ssl-cert 1678 Apr 14 12:13 mydomain-key.key

[/text]

Ok, now off to the Apache config

[text]# cd /etc/apache2/sites-available/[/text]

and edit the site file that is relevant so that the Virtual Host *:443 section includes the correct paths to the above certificate files

[text]
# Example SSL configuration
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateChainFile "/etc/ssl/private/mydomain-intermediate.crt"
SSLCertificateFile "/etc/ssl/private/mydomain-cert.crt"
SSLCertificateKeyFile "/etc/ssl/private/mydomain-key.key"

[/text]

If there is no Virtual Host *:443 section then there should be an existing VirtualHost *:80 for the website and this can be copied / duplicated in the same file, just change the port in the copy from 80 to 443 and insert the above Example SSL lines at the bottom of the new section above the closing tag.

If Apache is a fresh install it may not have SSL enabled

[text]#a2enmod ssl [/text]

Test Apache syntax

[text]#apachectl -t [/text]

Restart Apache
[text]#apachectl graceful [/text]
or
[text]#service apache2 restart [/text]
depending on what you need for existing sites on the server.

 

Leave a Reply

Your email address will not be published. Required fields are marked *