Wow, if you’re reading this you are doing so over a 256 bit encrypted link. To give you an idea of what that means my bank only uses 128 bit encryption. Now for a while I was doing this with a self signed certificate. But then you run into all kinds of hassles that when you send a link to your non-geek friend they get all upset because they get a warning when they try to go to it. Aside from that hassle (which I can live with) I ran into an issue with the flash uploader on my Gallery 3 site. It seems that if you have a self signed certificate the flash uploader will not work leaving the only way to upload anything to the server was the ‘server add’ option that would have meant I whole bunch of work that I just didn’t feel like doing right now.
The Solution? Get a signed certificate from a CA. Yeah that seems a little obvious but here’s the thing. I’m not selling anything meaning I’m not making anything and I don’t really want to pay for it. Free SSL certificates? Turns out yes they do exist. I went with StartSSL and was very pleased with the experience. The first thing I had to do was start by validating my email and getting a certification for that and then it was time to get the SSL/TLS Server cert. Here is how I did it so I’ll know how to do it next time.
Telnet into the server and issue the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr
This will give you two files.
myserver.key: this is your encryption key.
server.csr: this is the Certificate Signing Request that you will submit to the CA
In my case (running Fedora Core 16) I placed the myserver.key file in the /etc/pki/tls/private/ directory.
When you submit it to the CA, they will have you cut and paste the returned text into a ssl.cert file. Get that onto your server and I put it in /etc/pki/tls/certs/. Then you need to find the ssl.conf file and change the SSLCertificateFile and SSLCertificateKeyFile file locations and names. Save the file, restart Apache and you are good to go.
UPDATE
Okay, got home and got a message that I missed a couple of files. To this end let me say these are the files that were missing:
SSLCertificateChainFile /usr/local/apache/conf/sub.class1.server.ca.pem
SSLCACertificateFile /usr/local/apache/conf/ca.pem
I put them into /etc/pki/tls and just linked them in the ssl.conf and it worked fine and seemed to fix any issues I saw so don’t forget to do this next time.
About Me