Penguin
Note: You are viewing an old revision of this page. View the current version.

SSL stands for Secure Socket Layer. Its used for secure communications between SSL-enabled clients and servers. Typical examples of its use include HTTPS, POPS, LDAPS, and so on. If you are doign any network-based authentication, you should be doing it over SSL. Ideally, you want all network-enabled services (http, smtp, pop, samba, ldap) running over it. Slim chance, I know. :)


AddToMe: Better description of how SSL works.

Basic description: You have a certificate, which is signed by some CA (Certificate Authority). This certificate has both a public key (which is signed by the CA), and a private key. When a client makes a connection to your SSL-enabled server, the server passes the public key along the client, and the client then encrypts everything using this public key. The server then decrypts it using the private key.


Tricky points to note:

apache-ssl has a ssl-certificate program which will generate a self-signed key for use. It expires a year after install, so you'll need to recreate it every year (using ssl-certificate --force), and its not signed by anything, so it'll generate an error every time a browser goes to it - the browser will complain about it not being signed. You can get around this by either creating your own CA and getting people to add it to the CA list in their browsers, or by finding someone else who has a CA and asking them to trust you.

Also, if the key is assigned to the wrong domain (eg, its assigned to www.wlug.org.nz and I try to connect to https://mail.wlug.org.nz/ ) it'll generate another error. Simple fix - generate the key for the higher-level domain. EG, wlug.org.nz. It no longer complains :)


Setting up a CA (Certificate Authority) isn't too hard:

On my Debian Woody (3.0) system
cd /etc/ssl openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem

And answer the questions asked - sensibly

NOTE: Make sure you keep your CA's private key private. :)


Setting up a key for apache and signing it against your CA generated above is also easy:

(again, Debian Woody system)

openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem

And answer the questions appropriately. This has create the certificate request (apache-req.pem) and the private key (apache-key.pem)

To sign
openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365

This signs it against the cacert and key. It also specificies that it will expire in 365 days time.

And finally
cp apache-cert.pem /etc/apache-ssl/apache.pem cp apache-key.pem /etc/apache-ssl/apache-key.pem