# OpenSSL and SSL certificates

## cmuench

I was wondering how do I install and set up openssl for my apache2 webserver for a secure website?  Or maybe I could just make my own SSl certificates.  Whatever I do I don't want to buy anything from verisign, etc.  I'm flatout broke

----------

## bk0

http://www.cacert.org/

----------

## cmuench

I looked at the cacert.org and it wants my server.csr  Where do I find this and also DO I NEED openssl and mod_ssl installed on my machine or just the one.  If so which one because they are both the same

----------

## freebies_11

You need to generate your CSR. Check the CAcert website Howto page. They have infos on how to do this over there.

----------

## cmuench

I generated the csr code and then typed it in their website and then they gave me this server certificate.  Where am I supposed to put this because I have both openssl and mod_ssl????????

----------

## battra

Check out the Apache2 HOWTO on the Gentoo wiki:

http://gentoo-wiki.com/HOWTO_Apache2#SSL

The default location is /etc/apache2/conf/ssl/ - but it's configurable.  Don't forget to put  your private key there too (generated during the CSR generation).

----------

## cmuench

private key as in the one cacert.org gave me because they call it a server key.

----------

## cmuench

I hate to be a pain but the apache2 wiki with ssl didn't help help thats for a selfsigned certificate while I have this certificate from cacert.org.  I still don't understand how to do this And I need to be running this secure site by tomorrow.

----------

## WarMachine

gentoo-wiki howto was pretty useful

----------

## battra

 *cmuench wrote:*   

> I hate to be a pain but the apache2 wiki with ssl didn't help help thats for a selfsigned certificate while I have this certificate from cacert.org.  I still don't understand how to do this And I need to be running this secure site by tomorrow.

 

If you're not using a self-signed certificate, the only difference is that there's an additional file containing the certificate authority chain (a.k.a. the certificates of the certificate authorities that signed your certificate).  

Maybe have a look at the file /etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf:

 *Quote:*   

> 
> 
> #   Server Certificate Chain:
> 
> #   Point SSLCertificateChainFile at a file containing the
> ...

 

----------

## nobspangle

There's not really much to be gained from using a cacert certificate. The root isn't included with any browsers (yet) so you may as well self sign and save yourself some bother.

As you've already go the certificate you may as well use that.

When you generated your certificate signing request (server.csr) you will also have generated a private key file (private.key)

You need the private.key file plus the certificate from cacert and the root CA certificate which you also get from cacert (link)

Put these three files in /etc/apache2/conf/ssl

They should be called

server.crt

server.key

ca.crt

open /etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf

find the line

#SSLCertificateChainFile conf/ssl/ca.crt

uncomment that line

open /etc/conf.d/apache2

make sure APACHE2_OPTS contains "-D SSL"

restart apache

----------

## jubo

I have done some steps from above, and I now have a CA as well as some signed certificates on my server.  However, when I go to my site in firefox, I do not get any prompt about the certificate (after I manually installed my CA in firefox), but the lock icon has a redline through out.  When I click it on and get the security properties of the page it says AES-256 bit high grade encryption and web site identity verified.  If I go from IE on my windows machine I don't even get a lock icon, even though the page properties say it is secure.  Anyone have any idea what is going wrong.  curl and wget get the https url fine as well.

Feel free to see the https: site for yourself https://jubo.ath.cx

----------

