There are a number of ways to set up SSL on a web host. The purpose of this howto is to provide a guide on setting up a local certificate authority (CA) and then using that authority to set up a certificate that can be used with the apache2 webserver, as provided by Debian (backports as of this writing, but should be part of sarge release).

CA Setup

The first step is to set up the CA. The CA allows you to sign an SSL certificate so that anyone who has the necessary CA data can verify its integrity.

Create the CA key

openssl genrsa -des3 -out my-ca.key  2048

Create the CA certificate

openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca-crt

Create and sign the web server certificate

To generate a server certificate we first need to generate a certificate signing request to pass to the CA. The signing request is then signed by the CA to create the certificate. Note that server keys should be either 512 or 1024 bits in length - other values have been reported to cause problems.

Create certificate signing request (server.csr) and private key (privkey.pem)

openssl req -new -out server.csr

NOTE: Make sure that the 'Common Name' you specify is the FQDN of the SSL site you are setting up.

Create the server key using the private key without a password

openssl rsa -in privkey.pem -out server.key

Sign the server certificate request with the local CA key to create the server certificate

openssl x509 -req -in server.csr -out server.crt \
-sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650

Install the certificates

The certificates now need to be installed into their correct places on the server.

Set key permissions

chmod 0400 *.key

Create server key and certificate directories

mkdir /etc/apache2/ssl.cert
mkdir /etc/apache2/ssl.key

Copy the keys and certificates across to the server configuration

cp server.key /etc/apache2/ssl.key/
cp server.crt /etc/apache2/ssl.cert/
cp my-ca.crt /etc/apache2/ssl.cert/

Configure Apache2

We now need to configure apache2 to use the certificates. The following assumes the use of mod_ssl and that the a2enmod and a2ensite utilities are available.

Configure apache2 to listen on port 443 (the default https port). The following stanza should be placed in ports.conf (if it exists) or directly beneath the exisiting 'listen 80' line in httpd.conf

Listen 443

Enable mod_ssl in the apache configuration. If a2enmod is available you can do

a2enmod ssl

or create the symlink yourself

ln -s /etc/apache2/mods-available/ssl.* /etc/apache2/mods-enabled/

or add the following to the list of LoadModule directives in httpd.conf

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

Now we can create the SSL virtual host. Setup a NameVirtualHost directive and VirtualHost container for port 443 in sites-available/secure.mysite.com

NameVirtualHost *:443
VirtualHost *:443
   ServerName secure.mysite.com
   DocumentRoot /my/ssl/document/root
   SSLEngine On
   SSLCertificateFile /etc/apache2/ssl.cert/server.crt
   SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
   SSLCertificateChainFile /etc/apache2/ssl.cert/my-ca.crt
   SSLCACertificateFile /etc/apache2/ssl.cert/my-ca.crt
VirtualHost

Enable the site in the apache2 configuration with either

a2ensite secure.mysite.com

or

ln -s /etc/apache2/sites-available/secure.mysite.com /etc/apache2/sites-enabled/

Restart apache2 with either

/etc/init.d/apache2 force-reload

or

apache2ctl restart

You could use

apache2ctl graceful

but I'm not sure that will pick up the new virtual host and SSL settings

Test the HTTPS connection

You can now test the SSL certificate by opening a browser and surfing to

https://secure.mysite.com

You should recieve a warning that the SSL certificate offered cannot be validated against a known certificate authority. In order to prevent this you can install your CA certificate (my-ca.crt NOT my-ca.key) into the browser's trusted CA list. Once this is done you can browse the SSL site without warnings appearing.