This page is an archive of my old blog. Please visit DavidTucker.net for my current blog.
This site is no longer being maintained and commenting is disabled.

Installing a Secure Certificate on a Linux Server

Secure certificates have become increasingly cheaper since their inception. Until you have purchased and installed one there is a bit of mystery around the process. This mini-tutorial will specifically deal with installing a Standard SSL Certificate from GoDaddy on a Redhat Enterprise Linux 5 (or CentOS 5) server with Apache 2.2 installed. It should be very easy to modify the content of this tutorial for other certificate authorities or flavors of Linux.

Introduction

Purchasing and installing a certificate is a three step process:

  1. Certificate Request - The server on which the certificate will be installed must generate both a private key and then a CSR (Certificate Signing Request).
  2. Domain Validation - Once the Certificate Authority receives the CSR, they will verify that the party who requested the certificate has authority over the domain name. For Basic SSL Certificates, this will be in the form of an email to the contact person that is listed with the domain registration. The more advanced certificate that you get, the more in-depth the validation process will be.
  3. Installation - Once the validation has succeeded, you will receive the certificate files. At this point you can install them in Apache. You can also choose to install them in your mail server (if it resides on the same machine under the same domain).

Certificate Request

The first step to creating a certificate signing request (CSR) is to create a private key. Openssl will be used to create both of these items. You will need to be logged in as root to move these files to the proper locations (although they can be created by a non-privileged user). Generally, the private key will go into the /etc/httpd/conf/ssl.key/ directory, and the CSR will go into the /etc/httpd/conf/ssl.csr/ directory.

TIP: If a server will have more than one domain hosted on it, it is ideal to include the domain name in the certificate, private key, and CSR file names. This way, even if you lose your configuration files, you know which certificate is associated with each domain.

CODE:
  1. openssl genrsa -out /etc/httpd/conf/ssl.key/mydomain.com.key 1024

Code Example 1 - Generating the Private Key

Once the private key is created, you can create the CSR. You will be asked a series of questions while creating the CSR. You can see a list of the questions in Figure 1. The most important question is where openSSL asks for the Common Name. You must type the domain name that you are getting the certificate for. If you are getting a certificate for a subdomain - be sure to type the entire name (but leave off the "www." from the beginning of domains). Note that you do not have to fill in every value.

CODE:
  1. openssl req -new -key /etc/httpd/conf/ssl.key/mydomain.com.key -out /etc/httpd/conf/ssl.csr/mydomain.com.csr

Code Example 2 - Generating the CSR

CSR Generation Questions

Figure 1 - CSR Generation Questions

Once you have generated your CSR, you can output it to the screen with the following command. When you are requesting your certificate, there will be a box where you will paste this CSR.

CODE:
  1. cat /etc/httpd/conf/ssl.csr/mydomain.com.csr

Code Example 3 - Outputting CSR to Screen

Domain Validation

NOTE: Before you submit your CSR to the Certificate Authority, do a WHOIS Lookup for your domain to ensure that all of the data is correct. Correct all information with your domain registrar before submitting your CSR.

The actual validation process for a certificate is different depending on which certificate authority is used. As stated earlier, GoDaddy's Basic SSL certificate only requires an email verification (to the administrative or registrant contact for the domain). Once the email recipient verifies that the request is legitimate, the certificate is issued.

Certificate Installation - Apache

Once the certificate is issued, the certificate authority will email you to let you know that you can download the certificates. You will generally receive two certificates: the actual certificate for your domain, and the chain certificate that is specific to the certificate authority. With Apache (unlike Sendmail, IMAP, or POP Servers) these certificates will remain in separate files.

By default in RHEL 5 (or CentOS 5) there is a file /etc/httpd/conf.d/ssl.conf . This defines the default SSL implementation for the Apache server. If you only have one virtual host on the server, you can enter all of your certificate details in this file. If you have multiple virtual hosts, comment out the following lines in ssl.conf and put the specific information in each virtual host definition. Most of the information should already be correct, but you will need to replace the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile configuration values (as shown below).

CODE:
  1. #Server Certificate:
  2. SSLCertificateFile /etc/httpd/conf/ssl.crt/myDomain.com.crt
  3.  
  4. #Server Private Key:
  5. SSLCertificateKeyFile /etc/httpd/conf/ssl.key/myDomain.com.key
  6.  
  7. #Server Certificate Chain:
  8. SSLCertificateChainFile /etc/httpd/conf/ssl.crt/gd-chain.crt

Code Example 4 Apache Configuration /etc/httpd/conf.d/ssl.conf file

Certificate Installation - Other

Many other services on your server can also take advantage of a secure certificate. For example, an IMAP server can use the secure certificate for its secure communications with an email client. Many of these other services require the certificate to be in another format which combines all of the elements (private key, certificate, and chain certificate) into a single file. These files usually have an extension of pem.

To put your certificate into the PEM format, you will need to put these previously mentioned items into the same file in the following order: private key, secure certificate, chain certificate. If you were creating a PEM file for sendmail you could use the following commands to create the file.

CODE:
  1. touch sendmail.pem
  2. cat /etc/httpd/conf/ssl.key/myDomain.com.key >> sendmail.pem
  3. cat /etc/httpd/conf/ssl.crt/myDomain.com.crt >> sendmail.pem
  4. cat /etc/httpd/conf/ssl.crt/gd-chain.crt >> sendmail.pem

Code Example 5 Creating a PEM File for Certificate Information

Setting Permissions

To ensure proper security on the server, you will need to set the proper ownership and permissions on each of the certificate files.

CODE:
  1. chown root /etc/httpd/conf/ssl.key/myDomain.com.key
  2. chmod 400 /etc/httpd/conf/ssl.key/myDomain.com.key
  3. chown root /etc/httpd/conf/ssl.crt/myDomain.com.crt
  4. chmod 400 /etc/httpd/conf/ssl.crt/myDomain.com.crt
  5. chown root /etc/httpd/conf/ssl.crt/gd-chain.crt
  6. chmod 400 /etc/httpd/conf/ssl.crt/gd-chain.crt

Code Example 6 - Setting Ownership and Permissions on Certificates

If you created certificates in other formats or locations on the server, you will also need to set their ownership and permissions.

Conclusion

Finally, you will need to restart Apache and any other services that using the new certificate. Once that is completed, you should be able to test and see if you certificate was installed properly. Figure 2 shows the Firefox security window for a website that has a properly installed GoDaddy Basic SSL Certificate.

Certificate Installation Successful

Figure 2 - Successful Certificate Installation




10 Responses to “Installing a Secure Certificate on a Linux Server”

  1. Thanks! Love this simple tutorial.

  2. Chanderjit says:

    Formulate and stamp indelibly on your mind a mental picture of yourself as succeeding. Hold this picture tenaciously. Never permit it to fade. Your mind will seek to develop the picture…Do not build up obstacles in your imagination.

  3. How ya doing? You picked the ones closed to my heart too, despite the fact I know I am guilty of #1 when I don’t pay attention.

  4. Keven Hyler says:

    Godaddy.com coupon codes news. Many of the older Godaddy.com coupons are not valid. Here are the reissued promo codes that are working. These coupons will give you a discount at Godaddy. .COM Domain Names or Manual Renewals for just $7.49 – Use Godaddy promo codes OK9, ZINE10, or GOO3. 25% discount on orders of $100+ – Use Godaddy coupon code OK25. 30% Discount when you buy any com domain – Use Go Daddy promo code OK30. $12.99 SSL Certificates – Use Godaddy coupons GOOSSL, OKSSL, or ZINESSL. Hosting Plan Discount – 20% Off Hosting – Use Godaddy coupons OK20H, ZINE20H1 or GOO20H. 10% off any size order – Use Godaddy promo codes OK7, GOO1 or ZINE8. $5 Off $30 or More – Use Go Daddy coupons GOO2 or ZINE9. 20% Off Any order of $50 or more – Use Godaddy promo code OK8.

  5. Keira James says:

    I have 100 domains on Godaddy and i can say that this company is very reputable.`,`

  6. Max Wood says:

    godaddy is the best registrar out there but i am annoyed by too many ads on their site~;;

  7. Given that we’re speaking about things in the region of DavidTucker.net » Blog Archive » Installing a Secure Certificate on a Linux Server, Today’s businesses, large and small, depend on their email systems for a significant majority of their communication needs. Email has developed from a rudimentary, inaccessible technology used only by the tech-savvy to its current role as a rapid, reliable communications tool for just about everyone.

  8. godaddy is not always the best registrar, the private registration of godaddy is too expensive ‘

  9. Curt Riculfy says:

    Cannot concur more with this, very attractive report. Thank You.

  10. Mirco Ellis says:

    Jis guy. You made it so simple.Especialy dig the section on converting to a linux sendmail.pem file. I’ve battled to get this going for so long and the lights finaly went on when I read your instructions. Thank you.