I often find myself in need of an SSL certificate for some of the websites on my Apache web servers. The problem is that the old method of "ssl-certificate" has been deprecated. And the new "make-ssl-certificate" requires a configuration file. Unfortunately this configuration file sets up a default of one month for your certificate.
Seeing as the make-ssl-certificate script is just a wrapper for the OpenSSL command, I always find myself digging for the correct command incantation. No more. I'm posting it here, with explanations, so that I have a single place to find it - and hopefully help someone else in a similar situation.
The basic command is:
openssl req -new -x509 -nodes -sha1 -days 3650 -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
here's a description of the arguments:
- req - this tells OpenSSL we are doing an X.509 Certificate Signing Request.
- -new - this tells OpenSSL that we are doing a new certificate, and prompts for the certificate values.
- -x509 - this tells OpenSSL that we want a self signed certificate.
- -nodes - tells OpenSSL that our private key shouldn't be encrypted.
- -sha1 - indicates what method to sign the certificate with.
- -days 3650 - how many days the certificate is good for (10 years in this sample).
- -out path/to/file - the file to be written to. If not specified, stdout is used.
- -keyout /path/to/file - where to store the private key that is generated.
Now, the above sample assumes we are creating a certificate for Apache, so places the output into /etc/apache2/ssl/apache.pem - which is accurate for my Ubuntu servers. Your servers may need a different location. The bonus though is that this file can be easily copied or moved to wherever it is needed. But as always, make sure only authorized people/serivces can access the file. Otherwise the certificate is more or less meaningless as those who can access it, can decrypt the web traffic that is based on this certificate.
Now, just for good measure, there are a couple other changes needed on the Ubuntu set up of Apache. Open up the /etc/apache2/sites-available/default file. The first line that reads "NameVirtualHost *" - we need a second line that is almost identical:
NameVirtualHost * NameVirtualHost *:443
This tells Apache to also handle Virtual Host requests on port 443. When you use "https://", this automatically implies port 443.
Finally, for those virtual hosts that will use SSL, you need to modify the VirtualHost directive for them to use port 443:
<VirtualHost *:443>
And one final trick. In my case, I wanted the entire virtual host to use SSL. So I added this above my main VirtualHost definition:
<VirtualHost *>
ServerName myapp.myserver.com
Redirect / https://myapp.myserver.com
</VirtualHost>
This forces all normal HTTP requests to be redirected / converted to HTTPS.
Now, the only thing left is to tell Apache to use our generated certificate. This is done by adding the following to our VirtualHost definition:
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Of course, if you'd like you can apply those lines to a specific location, directory, virtual host, OR the whole server. The Apache2 Documentation has more details
Once you've made these changes, restart your Apache server. If you see no errors, then all should be good and you should be prompted to accept the certificate when you navigate to your virtual host.