Wed, 01 Apr 2009
/Admin/Apache/HTTPS-SSL:
SSL Certificates 101
Generally speaking, it would appear that a vanilla single root SSL
certificate, self-signed or otherwise, is only good for exactly one domain
that corresponds exactly to the "common name" used in creating the
certificate.
Some vendors[1] sell something called a "wildcard" certificate, where the
common name on the certificate takes the form of "*.domain.com", and can be
used to secure multiple sub-domains. Such a "wildcard" certificate, not
suprisingly, seems to be considerably more expensive then a single root
certificate. Apache even provides a built-in mechanism using a document root
wildcard[2] for mapping each sub-domain to a different document root.
Some vendors like Godaddy[3] sell multiple domain certificates which seem
to provide a discount to purchasing the same number of single root
certificates.
A good source for a free certificate is cacert.org[4]. cacert.org will
sign a certificate for you for a domain if your e-mail address is in the
whois record for the domain (this is an automated process on their end, they
verify your identity by sending you a link in an e-mail ....) The Apache
website[5] has a nice concise explanation of how to create a server key and
certificate signing request for cacert.org (or anyone else....)
Basically the process is[7]:
- Get an account on cacert.org.
- In the domains section of your cacert.org account, add the domain that
you wish to issue Apache certificates for.
- Use the cacert.org way[8] to generate key try.key and certificate
request try.csr (note that apache.org[5] suggests a multi-step method for
the same process):
openssl req -nodes -new -keyout try.key -out try.csr
- In the above, you only need to enter the "Common Name" exactly the same
as the sub-domain that you want the certificate to work for. All other
prompts may be ignored.
- Double-check the certificate request:
openssl req -noout -text -in try.csr
- On the cacert.org site, select "New" in the "Server Certificates"
section, and paste the contents of the above .csr file into the input box.
- Then create a new certificate file (.crt) file on your server, and paste
the key output by cacert.org into this file.
- In the appropriate Apache VirtualHost section in
/etc/apache2/sites-available/, point SSLCertificateFile at the path of your
new certificate, and point SSLCertificateKeyFile at the path of the key that
it was generated from (the Certificate Signing Request [.csr] is no longer
needed).
cacert.org certificates seem to be good for six months. They send you an
e-mail in advance of expiry.
For a particular SSL-enabled Apache virtual host, force users to always
use https by placing a redirect in http virtual host, ie.:
<![CDATA[
<VirtualHost *:80>
DocumentRoot /var/www/vsc/apps
ServerName apps.vancouversolidcomputing.com
ServerAlias apps.vancouversolidcomputing.com
ServerAdmin ckoeni@gmail.com
CustomLog /var/log/apache2/access.log combined
Redirect / https://apps.vancouversolidcomputing.com/
</VirtualHost>
]]>
[1] http://www.sslshopper.com/best-ssl-wildcard-certificate.html
[2] http://phaseshiftllc.com/archives/2008/10/27/multiple-secure-subdomains-with-a-wildcard-ssl-certificate
[3] http://www.godaddy.com/gdshop/ssl/ssl.asp?ci=9039
[4] https://www.cacert.org/
[5] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#realcert
[6] http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#removepassphrase
[7] http://www.cacert.org/help.php?id=6
[8] http://www.cacert.org/help.php?id=4
posted at: 23:57 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry
