May 23 2007

Installation of SSL on Ubuntu 7.04

Published by at 1:12 am under SSL,Ubuntu

First Get Open SSL installed on the server

sudo apt-get install openssl

This will install the latest openssl library that is been tested on the Ubuntu server version you are using. For example, if your are using 7.07, the above command will install openssl0.98 version. If you want to install any other version then you have to specify the exact version name while you install

Creating a Self-Signed ( Private) Root Certificate

A brief primer on certificates in Layman terms.

Suppose let us say that a Client C wants to access a Server S for some transaction. Now Client C wants to make sure that it is indeed connecting to Server S. There are many ways to do it but most common way is through Digital Certificates. I dont want to get into details of the theory behind the technologies behind Digital Certificates. Let us assume that Server S and Client C has a digital certificate. Now Client C connects to the Server S and Server S sends its certificate. But the catch here is that how can Client C trust that Server S is indeed what it claims to be. If Client C and Server S are known to each other, then there is trust established. In a scenario, where Client C and Server S do not know each other, a third party ( Certificate Authority CA) who is trusted by both Client C and Server S will establish the trust.

Difference Between Self-signed Certificates and Authorized Certifiers

The main difference is that in self-signed Certificates, there is no third party involved. So if you are connecting to a Server that you do not trust, you are at risk. There is absolutely no difference in the Certificates you privately sign and the one signed by authorized certifiers like Verizone. (Note: Assuming that you create the certificates properly )

When Can use Self-Signed Certificates and When to go for Commercial Certificates

As i said earlier, when Client C knows the Server S, then you can go for Self-signed certificates. When i say “know” i mean either you own Client C and Server S or Server S is maintained by someone you personally know. For others, i personally feel you should go for a commercial certificates.

What are the steps involved in creating self-signed authority

  • Here is the very simple way of creating a Self signed certificate.

enter the command as follows to generate a certificate valid for 365 days
sudo apache2-ssl-certificate -days 365

The program asks for few inputs. Please enter as required. It is shown below

Country Name (2 letter code) [GB]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:Singapore
Organization Name (eg, company; recommended) []:

Organizational Unit Name (eg, section) []:
server name (eg. ssl.domain.tld; required!!!) []:enter your domain name here

Email Address []:

Now you should have your certificate ready to use.

(NOTE: Ubuntu Feisty has a bug where the command apache2-ssl-certificate is missing. This is a well documented bug. Here is the file you need to download to overcome this defect to create a self signed certificate. After you download, follow the notes below to copy the downloaded files to the location where they are supposed to be present.

Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.
Create /etc/apache2/ssl directory. Then apache2-
ssl-certificate script should work.)

Once you have your certificate ready, then you need to configure you apache2.conf file. In this case, the configuration is very simple. Here is an example on how to do it:

NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain
www.domain3.com
DocumentRoot /var/www/ssl_securearea

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

<Directory /var/www/ssl_securearea>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

</VirtualHost>

above i have shown the whole virtual host configuration to be complete. But i hope you get an idea where to put it.

Comments Off on Installation of SSL on Ubuntu 7.04

Comments are closed at this time.