Securing your Apache webserver with a certificate from godaddy.com
Most of you people probably run a webserver for example a webaccess server. Apache default uses a self-singed SSL certificate who is created during installation of Apache.
Disadvantage is that when people access you secure website they get a error that the certificate cannot be validated because of a untrusted Certificate Authority (CA). This does not mean the site isn’t secure, you know that, I know that, but for normal users it looks that you company doesn’t have a secure site.
In Internet Explorer 8 there is a new security feature who is enabled by default that for every new windows what is opened the user has to accept the certificate. This is really annoying with for example a webaccess where you open a Email in a new Window. By the way with Firefox you don’t have this problem after you ones accepted the certificate during a session.
So how can we solve this? Simple by getting a valid SSL certificate. So I looked how to implement a certificate provided from Godaddy.com.
I chose a so called “Standard (Turbo) SSL for 1 Year who costs around 27 dollars a year.
In this post I assumed you all ready have a working Apache with a self-signed SSL certificate who we are going to replace.
Step 1 is to create a certificate request from the webserver. Log in a root and give the command:
openssl genrsa -des3 -out server.key 2048
You are asked for a pass phrase. This is to encrypted this private certificate.
Step 2 is to create a request file who you are going to use to get a valid certificate. Give the command:
openssl req -new -key server.key -out server.csr
You are asked a couple of questions, make sure that where Common Name is asked you provide the FDN for your website.
#openssl req -new -key blog.wilmsenit.nl -out blog.wilmsenit.nl.csr
Enter pass phrase for blog.wilmsenit.nl:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:NB
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WilmsenIT
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, YOUR name) []:blog.wilmsenit.nl
Email Address []:info@wilmsenit.nlPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:WilmsenIT
Now you have a so called .csr file who we are going to use for the request of our certificate.
Go to the Godaddy website a buy the certificate. When you have bought the certificate you can go to the SSL page and click on the certificate. Now you are asked for the the content of the csr file we created. Just do a cat of the file and copy paste the content into the screen. After this follow the instructions on the screen.
Now your request is pending. After a while (this can take 2 until 24 hours) a email will be sent to the administrator of the domain where we requested the SSL certificate for. You can check this on every WHOIS database. In this Email a validation link is provided. If you click on that link you accepted the request for the certificate.
After validation you can download the certificate file. When doing so, you are asked where you want to use this certificate. In our case Apache.
In the zip file we have downloaded are to files:
- server.crt
- gd_bundle.crt
Copy these files to /etc/apache2/ssl.crt
We also have to copy the server.key file we created earlier to /etc/apache2/ssl.key
Now we have to adjust the vhost-ssl.conf file in /etc/apache2/vhost.d for using these files.
Make sure the following lines look like:
- SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
- SSLCertificateChainFile /etc/apach2/ssl.crt/gd_bundle.crt
- SSLCertificateFile /etc/apache2/ssl.crt/server.crt
Save the file and restart your apache by /etc/init.d/apache2 restart
You are asked for the pass phrase we entered earlier in this section. This is because of security reasons. If you don’t want to provide this pass phrase do the following:
- Go to /etc/apache2/ssl.key directory
- save the original file: cp server.key server.key.org
- Give the command: openssl rsa -in server.key.org -out server.key
- restart your apache
Now you don’t have to provided the pass phrase any more.
About Michael
Michael Wilmsen is a experienced VMware Architect with more than 20 years in the IT industry. Main focus is VMware vSphere, Horizon View and Hyper Converged with a deep interest into performance and architecture.
Michael is VCDX 210 certified, has been rewarded with the vExpert title from 2011, Nutanix Tech Champion and a Nutanix Platform Professional.
By Ueberwachungskamera, March 29, 2010 @ 11:09
This certificate if defenetly worth it, because who dont wants a good safety on the computer. Plus there are so many Hackers out there.
By Ueberwachungskamera, March 29, 2010 @ 11:09
This certificate if defenetly worth it, because who dont wants a good safety on the computer. Plus there are so many Hackers out there.
By Zoe Ali, April 28, 2010 @ 18:52
Internet Explorer 8 is very good because it is as stable as Opera. I hate the previous versions of IE like IE6 because it hangs frequently. ‘
By Zoe Ali, April 28, 2010 @ 18:52
Internet Explorer 8 is very good because it is as stable as Opera. I hate the previous versions of IE like IE6 because it hangs frequently. ‘
By solve quick tasks earn $$, April 29, 2010 @ 10:32
Just have bookmarked your site, and waiting for the next interesting article
By solve quick tasks earn $$, April 29, 2010 @ 10:32
Just have bookmarked your site, and waiting for the next interesting article
By job at home, April 29, 2010 @ 12:48
I want to start my own blog too, what blog platform do you use, where i can download it ?
By job at home, April 29, 2010 @ 12:48
I want to start my own blog too, what blog platform do you use, where i can download it ?
By Samantha Thomas, May 5, 2010 @ 08:45
I have 100 domains on Godaddy and i can say that this company is very reputable.~:,
By Samantha Thomas, May 5, 2010 @ 08:45
I have 100 domains on Godaddy and i can say that this company is very reputable.~:,
By whois, June 7, 2010 @ 23:38
Definitely the certificate from godaddy is very useful, I also have a 5 domains in godaddy, so far so good.=)
By whois, June 7, 2010 @ 23:38
Definitely the certificate from godaddy is very useful, I also have a 5 domains in godaddy, so far so good.=)
By Jack Laible, July 7, 2010 @ 23:14
Hello, great blog!. How do I subscribe to your RSS feed to ensure I get notifed when you make new posts? Thanks
By Mike, July 8, 2010 @ 08:18
On top there is a RSS icon, or you can follow me on twitter. See Networking on the left.
By Jack Laible, July 7, 2010 @ 23:14
Hello, great blog!. How do I subscribe to your RSS feed to ensure I get notifed when you make new posts? Thanks
By Mike, July 8, 2010 @ 08:18
On top there is a RSS icon, or you can follow me on twitter. See Networking on the left.
By Wet Saw, August 15, 2010 @ 18:34
Goddady is the best registrar, another one is Enom*-*
By Wet Saw, August 15, 2010 @ 18:34
Goddady is the best registrar, another one is Enom*-*