Almost everybody realizes nowadays that pages where login and passwords are used must use encrypted datatransfer like https. To use secure connection webserver must have correctly configured certificate.
Usually certificates are bought from some Certificate Authority and these cost around $100 per year. Here i will show how to make your own cert for free and very simple.
- Create private 1024bit RSA key encrypted with des3 into file server.key:
openssl genrsa -des3 -out server.key 1024
- Create new certificate signing request for private key located in file server.key and plase request into server.csr. This asks information about your site and most important common name must match your site name:
openssl req -new -key server.key -out server.csr
- Finally create certificate in X.509 format from request in file server.csr, sign it with server.key and save results in server.crt, certificate is valid for 365 days.http://www.openssl.org/docs/apps/x509.html#
vhost conf in /etc/httpd/conf/httpd.conf for https with newly created certificate and private key looks like this:
<VirtualHost *:443> ServerName marguspala.com DocumentRoot /var/www/marguspala.com SSLEngine on SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key </VirtualHost>
If you are lucky then now after apache restart you have encrypted connection, if not so lucky then apache will not start
- If you have several https enabled sites then whatever you want to use you end up only in one site. Probably you are using default httpd.conf and you must enable name based virtual hosts for https. Add this line to httpd.conf
- No matter what certificate you define apache still uses its own that you dont know about and have not seen before.
If you navigate to webpage, rightclick, view page info etc then you can see certificate data that you entered when creating signing request. If this is not what you enterd then something is not correct.
I searched whole server to see if there are any other certificates present and found one at /etc/pki/tls/certs/localhost.crt:
find / -name *crt
Something was using this cert but this was not defined in httpd.conf but instead in /etc/httpd/conf.d/ssl.conf. Command findig this out was
find / |xargs grep localhost.crt
Changing location of SSLCertificateFile and SSLCertificateKeyFile in ssl.conf made server work.
Some more useful tips
openssl x509 -text -in /etc/pki/tls/certs/localhost.crt
shows sertificate information
openssl s_client -connect marguspala.com:443
connects to https enabled website and shows among others this website certificate info.