Debian Apache SSL

Note: A lot has changed since this article was written in 2004 so the information may no longer be current.

Debian, SSL Certificates and Certificate Authorities

Considering at the time of writing, the debian apache-ssl package only gives you a one month SSL certificate for use with your apache-ssl server, most people would be needing to generate new SSL keys for their web servers.

This used to be performed using the ssl-certificate script but unfortunately that script has been depreciated.

This howto is designed to show you how to create your own CA (Certificate Authority) keys as well as SSL certificates signed by your CA for use on your web servers.

Generating your own Certificate Authority

cd /etc/ssl
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem

You will be prompted with a number of questions, answer them accordingly.

When you are asked about your common name or CN, give it the name you wish for your Certificate Authority to be called eg: My Certificate Authority

NOTE: Make sure you keep your CA private key (cakey.pem) private!

Unless you tell it otherwise, the above command will create a key that is only valid for one month.

Use -days n to make it valid for n days. -days 7000 is a good value to start with.

Setting up an SSL key for apache

If you wish to set up a key for apache-ssl and have it signed my your CA, the command is as follows:

cd /etc/ssl
openssl req -new -config ./openssl.cnf -nodes -out ./apache-req.pem -keyout ./apache-key.pem

Again you will be prompted with a series of questions. Answer them appropriately. Be sure that when it asks for your common name or CN, you supply it with the hostname of the site you are generating the ssl key for.

Signing your new SSL key against your CA

Once your apache-ssl certificate is created, it must be signed by your CA. The command to do this are below:

cd /etc/ssl
openssl x509 -req -in apache-req.pem -out apache-cert.pem -signkey apache-key.pem \
-CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365

This signs it against the cacert and key. It also sets the new certificate to expire in 365 days.

Now that your keys have been signed by the CA, you need to put them where they will be useful.

cd /etc/ssl
cp apache-cert.pem /etc/apache-ssl/apache.pem
cp apache-key.pem /etc/apache-ssl/apache-key.pem

NOTE: this assumes the apache-ssl server is on the same host as the CA, if not,
simply scp them to the relevant host.

You may also want to confirm that the relevant lines in apache-ssl’s httpd.conf are correct. They should read as follows:

SSLCertificateFile /etc/apache-ssl/apache.pem
SSLCertificateKeyFile /etc/apache-ssl/apache-key.pem

You will also need to restart apache-ssl to ensure the new SSL certificate is in use.

/etc/init.d/apache-ssl restart