When apache ignores your SSL certificate! « Margus Pala is fixing IT!

Almost everybody realizes nowadays that pages where login and passwords are used must use encrypted datatransfer like https. To use secure connection webserver must have correctly configured certificate.

Usually certificates are bought from some Certificate Authority and these cost around $100 per year. Here i will show how to make your own cert for free and very simple.

Create private 1024bit RSA key encrypted with des3 into file server.key:
```
openssl genrsa -des3 -out server.key 	1024
```
http://www.openssl.org/docs/apps/genrsa.html#
Create new certificate signing request for private key located in file server.key and plase request into server.csr. This asks information about your site and most important common name must match your site name:
```
openssl req -new -key server.key -out 	server.csr
```
http://www.openssl.org/docs/apps/req.html#
Finally create certificate in X.509 format from request in file server.csr, sign it with server.key and save results in server.crt, certificate is valid for 365 days.http://www.openssl.org/docs/apps/x509.html#

vhost conf in /etc/httpd/conf/httpd.conf for https with newly created certificate and private key looks like this:

<VirtualHost *:443>
ServerName marguspala.com
DocumentRoot /var/www/marguspala.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
</VirtualHost>

If you are lucky then now after apache restart you have encrypted connection, if not so lucky then apache will not start

Problems:

If you have several https enabled sites then whatever you want to use you end up only in one site. Probably you are using default httpd.conf and you must enable name based virtual hosts for https. Add this line to httpd.conf
```
NameVirtualHost *:443
```
No matter what certificate you define apache still uses its own that you dont know about and have not seen before.
If you navigate to webpage, rightclick, view page info etc then you can see certificate data that you entered when creating signing request. If this is not what you enterd then something is not correct.
I searched whole server to see if there are any other certificates present and found one at /etc/pki/tls/certs/localhost.crt:
```
find / 	-name *crt
```
Something was using this cert but this was not defined in httpd.conf but instead in /etc/httpd/conf.d/ssl.conf. Command findig this out was
```
find / |xargs grep localhost.crt
```
Changing location of SSLCertificateFile and SSLCertificateKeyFile in ssl.conf made server work.

Some more useful tips

openssl x509 -text -in /etc/pki/tls/certs/localhost.crt

shows sertificate information

openssl s_client -connect marguspala.com:443

connects to https enabled website and shows among others this website certificate info.

Written by smartman. More posts ... , +

http://marguspala.com/wp-includes/images/smilies/icon_smile.gif

This entry was posted on July 3, 2009, 22:06 and is filed under Linux, ssh. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

Margus Pala is fixing IT!

What to do if there is problem with IT