This page was copied and pasted from a Joomla site so it may have some formatting issues…..I’ll get to it later.
Apache 1.3.x and SSL Certificates
Written by Administrator
Tuesday, 17 May 2011 07:42
Getting ssl certificates generated, and, signed by GoDaddy
NOTE: The mechanism, below, for generating keys, certificates, etc. doesn’t work any differently on Apache 2.2.x. In other words, this page really applies to newer versions of Apache as well as versions 1.3.x. The only difference is that the file you need to edit, for pointing the server to the SSL files, is located in the “conf/extras” directory (in newer versions). So the configuration is minorly different – but the process is identical…….
I’m still running Apache 1.3.41 (on one server) and this is how I created certificates, formatted my httpd.conf file, etc. By the way, today – May 9th, 2011 – I had my browser (Firefox) throw one of those dreaded “get me outta here” warnings when I tried to access my virtual server. Anyhow, I’d had a misconfiguration for quite some time but, oddly, I had never seen this browser error before. It had do with and “intermediate”, or “certificate chain” file; I’d gotten a “spare” file from GoDaddy and never knew exactly what to do with the thing. Argh! Well, now I know what to do with the it….. By the way, in the area where you manage your SSL certificates on GoDaddy there is a handy tool which will check to see if your SSL configuration is correct – like this:
This page is a re-work of a previous page and incorporates the amendment to the httpd.conf file (fixing the error to which I just referred).
Generating a key and a self-signed certificate
Years ago I found a handy little bundle on the net which makes these preliminary steps very simple. The encryption was only 1024-bit, which will no longer fly with GoDaddy, so I simple edited the script and bumped it up to 4096-bit. I’ve kept the original archive, here, just for the hell of it…. Anyway, to get\ started download the scripts:
SSL ToolKit(4096-bit) – USE THIS ONE
SSL Tool Kit(1024-bit) – I’ve removed this link…you DO NOT WANT THIS!
I may expand on this a bit later but, for the moment, here’s a quick-step guide to getting everything working:
- Move the file you’ve just downloaded to your Apache configuration directory (not mandatory – just shorter paths to type if you’re “in the neighborhood”) and untar the rascal…
- In a shell navigate into the new directory (called “ssl_toolkit_4096”) and, if neccesary, chmod all of the files to 755 (executable) – the file permissions should already be ok….
- Type the following from a shell prompt:
openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 4096
- Very important: these scripts will ask you a number of questions, the answers to which are very often unimportant for them to work. However, choose a password and remember the thing, and, the “common name” of the server must match the URL by which your secure server is called. You will be asked to enter it twice, as I recall, and it must be correct (and, obviously, the entries identical). For example, my secure server alias is called “secure.netkwik.com” – that’s what I enter for these questions. One more time, the common name is the actual name of your secure server’s alias – you cannot make this up, or, simply enter whatever (which you can do for things like the associated email address, etc.).
- Do: ./new-root-ca.sh your.secure.server (don’t be an idiot – you’re actual secure alias in place of the red text…)
- Do: ./new-server-cert.sh your.secure.server
- Do: ./sign-server-cert.sh your.secure.server
Okay – now, in my ignorance, this is what I do (I just know it works).
1.Go to your apache conf folder and enter the following sub-directories: ssl.key, ssl.csr, and ssl.crt. Remove any existing files in all of these folders…
2.Go back to the folder in which you generated all of your certificates, keys. etc. (the “ssl_toolkit_4096” folder) and copy the appropriately suffixed files to the corresponding folder from which we just removed everything (copy anything ending in “.key” to the ssl.key folder, and so on).
3.Open your .csr file with a text editor and copy the contents; go to GoDaddy, follow the prompts to manage your SSL certificates and paste the data into the box. It will work. They will email you a link to download the signed certificates (which you then just paste to the ssl.crt folder). That’s it….
Apache 1.3.x httpd.conf edits
Sufficing a lengthy explanation, you need to find the areas in your httpd.conf file that look like the ones below and – well – make them look like the ones below (using your domain name, paths, etc. – of course). What I was missing was the path to the “gd_bundle.crt” deal. The file was in the ssl.crt folder but I’d omitted referencing it in the httpd.conf file. Anyway – you need something like this (and, of course, the lines below will need to be uncommented – in other words, remove the “#” sign in front of them).
UPDATE: Where you see email addresses, below, there should not be line breaks – this is a Joomla thing when using pre-formatted text. In other words, the line should look like this: ServerAdmin someone@somejoint.com You get the idea.
##
## SSL Virtual Host Context
##
# General setup for the virtual host
DocumentRoot “/usr/local/apache/htdocs”
ServerName secure.netkwik.com
ServerAdmin
admin@someplace.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLCertificateFile /usr/local/apache/conf/ssl.crt/secure.netkwik.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/secure.netkwik.com.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/gd_bundle.crt
#——- VIRTUAL HOST #SECURE ———
ServerName secure.netkwik.com
ServerAlias secure.*
ServerAdmin
postmaster@someplace.com
DocumentRoot /usr/local/apache/htdocs/secure
ServerName secure.netkwik.com
ServerAdmin
webmaster@someplace.com
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/secure.netkwik.com.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/secure.netkwik.com.key
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/gd_bundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
