If you ever need to use HTTPS or SSL with your website, you will need to have an SSL certificate created, which your Apache web server would use to hand out to the web browsers of the site visitors. The certificate is normally generated at the time of Linux installation of your PC/server, during Apache installation. However, this certificate would be created for a machine, named “localhost.localdomain” . When a web browser visits such a site , it sees this certificate, and also sees that it does not match the website’s hostname or FQDN. Modern browsers see it as a threat, or something “fishy”. Here is how you would create a new certificate for your website, on your web server. I am using CentOS 5.3 .

Your Apache ssl.conf in /etc/httpd.conf.d directory has the following SSLCertificate related directives.

[root@www conf.d]# grep SSLCertificate /etc/httpd/conf.d/ssl.conf

# Point SSLCertificateFile at a PEM encoded certificate. If

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

# Point SSLCertificateChainFile at a file containing the



# the referenced file can be the same as SSLCertificateFile



# SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt



[root@www conf.d]#

Also note down the permissions set of these two files:-

[root@www conf.d]# ls -lh /etc/pki/tls/certs/localhost.crt

-rw——- 1 root root 1.5K Jun 24 23:02 /etc/pki/tls/certs/localhost.crt

[root@www conf.d]# ls -lh /etc/pki/tls/private/localhost.key

-rw——- 1 root root 891 Jun 24 23:02 /etc/pki/tls/private/localhost.key

Now create the new certificate files:

[root@www conf.d]# openssl req -new -days 365 -x509 -nodes -out /etc/pki/tls/certs/server.crt -keyout /etc/pki/tls/private/server.key

Generating a 1024 bit RSA private key

……++++++

……………………………..++++++

writing new private key to ‘/etc/pki/tls/private/server.key’


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.


Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:California

Locality Name (eg, city) [Newbury]:Los Angeles

Organization Name (eg, company) [My Company Ltd]:Example Web Site

Organizational Unit Name (eg, section) []:Web

Common Name (eg, your name or your server’s hostname) []:www.example.com

Email Address []:webserver@example.com

Note that the files are called server.crt and server.key . You can have any name for these files though. Now you should update your ssl.conf file to use thse files instead of the localhost.crt and localhost.key .

[root@www conf.d]# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/server.crt

SSLCertificateKeyFile /etc/pki/tls/private/server.key

Update the permission set of these two files :-

[root@www conf.d]# chmod 0600 /etc/pki/tls/certs/server.crt

[root@www conf.d]# chmod 0600 /etc/pki/tls/private/server.key

[root@www conf.d]# service httpd restart

Stopping httpd: [ OK ]

Starting httpd: [ OK ]

That is all.

Remember, that this is still a self signed certificate. That means browser clients will still see a “this certificate is no good”, type of message before presenting the site. But this does give the viewer a peace of mind. Setting up your own Certificate Authority will be covered in the next article.

Web-email such as SquirrelMail setup as http://www.example.com/webmail, should now be able to work as https://www.example.com/webmail .

Please note that Apache SSL certificates cannot be used with Name based Virtual Hosts.You may want to have a look at the following link for more detail about this point .

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

Kamran