Installing a Secure Certificate on a Linux Server

December 16th, 2007

Secure certificates have become increasingly cheaper since their inception. Until you have purchased and installed one there is a bit of mystery around the process. This mini-tutorial will specifically deal with installing a Standard SSL Certificate from GoDaddy on a Redhat Enterprise Linux 5 (or CentOS 5) server with Apache 2.2 installed. It should be very easy to modify the content of this tutorial for other certificate authorities or flavors of Linux.

Introduction

Purchasing and installing a certificate is a three step process:

1. Certificate Request - The server on which the certificate will be installed must generate both a private key and then a CSR (Certificate Signing Request).
2. Domain Validation - Once the Certificate Authority receives the CSR, they will verify that the party who requested the certificate has authority over the domain name. For Basic SSL Certificates, this will be in the form of an email to the contact person that is listed with the domain registration. The more advanced certificate that you get, the more in-depth the validation process will be.
3. Installation - Once the validation has succeeded, you will receive the certificate files. At this point you can install them in Apache. You can also choose to install them in your mail server (if it resides on the same machine under the same domain).

Certificate Request

The first step to creating a certificate signing request (CSR) is to create a private key. Openssl will be used to create both of these items. You will need to be logged in as root to move these files to the proper locations (although they can be created by a non-privileged user). Generally, the private key will go into the /etc/httpd/conf/ssl.key/ directory, and the CSR will go into the /etc/httpd/conf/ssl.csr/ directory.

TIP: If a server will have more than one domain hosted on it, it is ideal to include the domain name in the certificate, private key, and CSR file names. This way, even if you lose your configuration files, you know which certificate is associated with each domain.

Code Example 1 - Generating the Private Key

Once the private key is created, you can create the CSR. You will be asked a series of questions while creating the CSR. You can see a list of the questions in Figure 1. The most important question is where openSSL asks for the Common Name. You must type the domain name that you are getting the certificate for. If you are getting a certificate for a subdomain - be sure to type the entire name (but leave off the "www." from the beginning of domains). Note that you do not have to fill in every value.

Code Example 2 - Generating the CSR

Figure 1 - CSR Generation Questions

Once you have generated your CSR, you can output it to the screen with the following command. When you are requesting your certificate, there will be a box where you will paste this CSR.

Code Example 3 - Outputting CSR to Screen

Domain Validation

NOTE: Before you submit your CSR to the Certificate Authority, do a WHOIS Lookup for your domain to ensure that all of the data is correct. Correct all information with your domain registrar before submitting your CSR.

The actual validation process for a certificate is different depending on which certificate authority is used. As stated earlier, GoDaddy's Basic SSL certificate only requires an email verification (to the administrative or registrant contact for the domain). Once the email recipient verifies that the request is legitimate, the certificate is issued.

Certificate Installation - Apache

Once the certificate is issued, the certificate authority will email you to let you know that you can download the certificates. You will generally receive two certificates: the actual certificate for your domain, and the chain certificate that is specific to the certificate authority. With Apache (unlike Sendmail, IMAP, or POP Servers) these certificates will remain in separate files.

By default in RHEL 5 (or CentOS 5) there is a file /etc/httpd/conf.d/ssl.conf . This defines the default SSL implementation for the Apache server. If you only have one virtual host on the server, you can enter all of your certificate details in this file. If you have multiple virtual hosts, comment out the following lines in ssl.conf and put the specific information in each virtual host definition. Most of the information should already be correct, but you will need to replace the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile configuration values (as shown below).

Code Example 4 Apache Configuration /etc/httpd/conf.d/ssl.conf file

Certificate Installation - Other

Many other services on your server can also take advantage of a secure certificate. For example, an IMAP server can use the secure certificate for its secure communications with an email client. Many of these other services require the certificate to be in another format which combines all of the elements (private key, certificate, and chain certificate) into a single file. These files usually have an extension of pem.

To put your certificate into the PEM format, you will need to put these previously mentioned items into the same file in the following order: private key, secure certificate, chain certificate. If you were creating a PEM file for sendmail you could use the following commands to create the file.

Code Example 5 Creating a PEM File for Certificate Information

Setting Permissions

To ensure proper security on the server, you will need to set the proper ownership and permissions on each of the certificate files.

Code Example 6 - Setting Ownership and Permissions on Certificates

If you created certificates in other formats or locations on the server, you will also need to set their ownership and permissions.

Conclusion

Finally, you will need to restart Apache and any other services that using the new certificate. Once that is completed, you should be able to test and see if you certificate was installed properly. Figure 2 shows the Firefox security window for a website that has a properly installed GoDaddy Basic SSL Certificate.

Figure 2 - Successful Certificate Installation

Apache, Linux | Comments | Trackback | Del.icio.us | Digg | Technorati