Design Menace

Adding a SSL Certificate to Ubuntu

Amazon Web Services

Ok, this was a freaky one for me, because security always is, but as always, if you just follow instructions…it’s not that hard.

The first thing to do is make sure SSL is enabled, so type in

[code]sudo a2enmod ssl[/code]

Next you need to generate your key file using a 2048 bit encryption. Once you type the following in you will have to create a pass phrase, and verify it.

[code]openssl genrsa -des3 -out server.key 2048[/code]

So, you have created your key file, and now you need to create the CSR file that GoDaddy, or whomever, will use to generate your certificate.  Now after you type this in you will be asked to answer all the questions.  Please do!  The one that tricks me every time is the Common Name (CN).  The CN is actually the domain name without the http:// in front. (ie.

[code]openssl req -new -key server.key -out server.csr[/code]

Now if you view the directory you will have 2 files called server.key and server.csr.  Now when filling out the Issuers form they will ask you for the CSR.  Just view this file, copy, and paste into there form.

Now the process for getting the certificate can be different, but in the end you should end up with 2 files.  The certificate, and the bundle.  You will need to get these two files onto the server.  Now I usually create the .key and .csr files in my home directory, so it’s just as easy to drop these two new files, into the same directory for SFTP’ing in and uploading them.  For SFTP instructions check out, Setting up a EC2 Server on Amazon: Part 3, and Adding a User to Ubuntu.

So at this point I have 4 files in my home “sublet” directory.  A “.key” file, “.csr” file, “.crt” file, and a “.gt” file.  It’s time to install them into the system :)

[code]sudo cp server.key /etc/ssl/private
sudo cp /home/sublet/CERTIFICATE_NAME /etc/ssl/certs
sudo cp /home/sublet/gd_bundle.crt /etc/apache2/ssl.crt[/code]

Now create a link between the sites-available SSL file and the sites-enabled.

[code]sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl[/code]

Just as backup in case anything goes wrong.

[code]sudo cp /etc/apache2/sites-available/default default_original
sudo cp /etc/apache2/sites-available/default-ssl default-ssl_original[/code]

Now edit the default-ssl file and make sure it’s all pointing at the new certificates and server key.  Also, you probably have mod-rewrite setup, so make sure you change the AllowOverride None to AllowOverride All.

[code]sudo pico /etc/apache2/sites-available/default-ssl[/code]

Now, over the years these 4 lines have gotten further and further away from each other, but they should all be in there already.  You may need to un-comment them out, but they should all be there.

[code]SSLEngine on
SSLCertificateFile /etc/ssl/certs/
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/apache2/ssl.crt[/code]

Now just restart Apache, and your good to go!

/etc/init.d/apache2 restart

Well…sorta…you will notice that when you do restart Apache it will ask for a passphrase.  The one you setup when creating the certificate.  Now once you do that you can go to, and it will display properly!  But let’s say there is a huge influx of traffic that you weren’t ready for.  Your server goes down, reboot’s, and before apache will start, it needs that passphrase.

The reason this pops up in the first place is that the RSA private key inside the server.eky file is stored encrypted.  The passphrase is needed to read it. So, when your ready, and you can be sure that your server is secure enough, do the following.

[code]sudo cp /etc/ssl/private/server.key /etc/ssl/private/
sudo openssl rsa -in /etc/ssl/private/ -out /etc/ssl/private/server.key[/code]

This will remove the encryption from the RSA private key, while keeping the original file.  Now make sure the server.key file can only be read by the root user, and you should be good to go.

chmod 400 /etc/ssl/private/server.key

Now if you reboot, you will not get that message!

Something else you can do is use the `SSLPassPhraseDialog exec:/path/to/program‘. But this is neither more nor less secure.

Some good references I used to get this information is listed here.