I'll assume you already have webserver, database serve and application runtime (aka. LAMP environment) prepared for running web application like wordpress, drupal etc. and want to have SSL.
I was thinking having my own root CA and keeping all keys and issued certs with XCA tool as I did for my previous company. But after a little bit of thinking I want to support CAcert community. So I've setup domain with MX to confirm domain ownership for a CAcert to get my server certificate.
First thing to do was generating new RSA key with 4096 bit length. Debian based linux distribution have default "snakeoil" private keys with 2048 bit key length. Based on that new RSA key I will generate CSR request. Then on CAcert user account submit a CSR and get my server certificate generated for my domain. The only thing left then will be apache virtualhost setup.
I'd suggest using existing folders somewhere places where it's logical to find. Debian has his own folder with CA (Certification Authority) certificates. It's places under "/etc/ssl" folder. That folder already has two sub-folders named "private" where private "snakeoil" is and folder "certs" where all root CA's are. First I've put key in private folder and server certificate in certs but later found out, after upgrading the operating system that apt package management system just got "confused" about the certificate. So a safer way would be to create new folder and put everything inside just to be safe in the long-term.
# mkdir /etc/ssl/custom # cd /etc/ssl/custom<code> # openssl genrsa -out atom.key 4096
Keep in mind this is private key that is unencrypted. One thing for that is I want to avoid manually typing password for unlocking private key each time Apache starts. So I'll just change ownership and rights so that other users on the system won't be able to read just in case. If someone does, it will be root or www-data users but that's might already be a security breach that should not happen but anyway… (why putting additional locks on the car steering wheel, stereo, shift… while it has door lock, alarm, tracking system etc. a theft could steel the whole car instead and put it where RF does not penetrate…)
# chown root:ssl-cert atom.key # chmod 440 atom.key
Now it's time to generate certificate request
# openssl req -new -key atom.key -out www.s55aj.eu.csr
Then copy the content of that generated file and paste it in your CAcert request form and submit the content. It will take few second to generate certificate and it will be printed back on your screen. Now copy those "strange" lines onto your server into newly created file, something like FQDN.pem (Fully Qualified Domain Name), in my case www.s55aj.eu.pem.
The next step is to download CAcert root CA and place it under the trusted system certificates just in case.
# wget http://www.cacert.org/certs/root.crt # mv root.crt CAcert.pem # ln -s custom/CAcert.pem certs/CAcert.pem
Now we have almost every resources to setup SSL virtual host on apache. Now we have to create a virtual host definition file. There is already a template in "/etc/apache2/sites-available/default-ssl" to have it as reference.
# cd /etc/apache2/sites-available # touch www.s55aj.eu.conf # cat www.s55aj.eu.conf <VirtualHost *:443> DocumentRoot /srv/www/wp ServerName www.s55aj.eu <Directory "/srv/www/wp"> allow from all Options +Indexes </Directory> ServerAlias wp.s55aj.eu SSLEngine on SSLCertificateFile /etc/ssl/custom/www.s55aj.eu.pem SSLCertificateKeyFile /etc/ssl/custom/atom.key SSLCACertificateFile /etc/ssl/custom/CAcert.pem </VirtualHost> # a2ensite www.s55aj.eu.conf # service apache2 reload
Now it should be up and running.
