{"id":1049,"date":"2012-01-12T00:09:19","date_gmt":"2012-01-12T04:09:19","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=1049"},"modified":"2012-01-12T00:09:19","modified_gmt":"2012-01-12T04:09:19","slug":"ubuntu-apache2-trusted-ssl-certificate-from-startssl","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2012\/ubuntu-apache2-trusted-ssl-certificate-from-startssl\/","title":{"rendered":"Ubuntu Apache2 “trusted” SSL Certificate from StartSSL"},"content":{"rendered":"

\"\"<\/a><\/p>\n

I own the domain lowtek.ca<\/a> and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https<\/a> to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, the value of having a SSL<\/a> connection between your browser and (hopefully) a specific destination machine still has value. I found a humorous youtube video<\/a> that describes SSL basics if this is new to you.<\/p>\n

If you were watching the tech news, you’ll have seen several of the CA’s had\u00a0security breaches<\/a>. Even\u00a0StartSSL<\/a>\u00a0which this post will talk about using had\u00a0some<\/a>\u00a0issues<\/a>, but it seems that\u00a0it wasn’t as bad<\/a>\u00a0as the others. There has even been some\u00a0research into how to attack \/ break SSL<\/a>\u00a0entirely. The web is a scary place if you think too much about this stuff. Today SSL is the most convenient web security story there is, and for the most part it works well enough.<\/p>\n

For most people hosting personal websites the simple path is to use a self signed certificate<\/a>. \u00a0The one downside to this is that whatever browser you are using will not recognize the certificate as valid, you’ll either be prompted to download and remember it – or just trust it for this one session. The manner in which browsers trust commercial web sites https connections is the certificates are issued by one of the root CA’s (Certificate Authority<\/a>). The CA is a trusted 3rd party which the browser can check with to validate the certificate the website is offering up.<\/p>\n

Ubuntu has some guides on creating certificates<\/a>. What I’ll try to do here is provide a specific example of using StartSSL to generate a free certificate that is accepted by most web browsers. Much of the details come from another blog<\/a> that I referenced when creating my StartSSL<\/a> certificate.<\/p>\n

You’ll probably want to use FireFox<\/a>. The web interface at StartSSL.com<\/a> can be a bit finicky and FireFox is known to work – I used the somewhat old 3.6.25 version. Of course the first step is to sign-up and create an account on StartSSL. They use email confirmation and my greylisting<\/a> caused a bit of a hiccup here, waiting a few minutes and resubmitting the sign-up succeeded just fine. Then there will be a wizard that takes you through the rest of the sign-up process.<\/p>\n

At the end of your account sign up you’ll be encouraged to back up the client certificate that has been installed into your browser. As I understand it, they use the client certificate as a form of authentication that it is really you they are connected to. The FAQ has details on backing up the client certificate<\/a>. If for some reason you lose your client certificate they have a FAQ for that too<\/a>.<\/p>\n

Next we want to return to the “Control Panel<\/a>” and use the “Validations Wizard” to do the “Domain Name Validation”. This will require another email validation to ensure that you are the owner of the domain (you’ll need to be able to receive email for that domain).<\/p>\n

Now we can actually create a certificate. There are pay options for certificates, but we want to use the free version. Use the “Certificates Wizard” to create a “Web Server SSL\/TLS Certificate”. Again I’ll reference the very useful blog post from jasoncodes.com<\/a> that describes this set of steps (I will replicate here for completeness).<\/p>\n

The first step of creating a certificate we can skip, as we plan to create our own Certificate Signing Request (CSR<\/a>) locally. Execute the follwoing on your server, obviously replacing mydomain.ca with your domain name:<\/p>\n

openssl req -new -newkey rsa:4096 -days 380 -nodes -keyout mydomain.ca.key -out mydomain.ca.csr
\n<\/code>
\nThere will be several questions posed to you during this, here is a dump of the questions and some example answers:<\/p>\n

Country Name (2 letter code) [AU]:CA
\nState or Province Name (full name) [Some-State]:YourStateOrProvince
\nLocality Name (eg, city) []:YourCity
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:SomeName
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, YOUR name) []:mydomain.ca
\nEmail Address []:secret_email@mydomain.ca<\/code><\/p>\n

Please enter the following 'extra' attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:<\/code><\/p>\n

Some of the answers can be blank as should be evident above. If you’re having trouble with the 2 letter country codes, check on wikipedia<\/a>. I did find a reference that suggested that the common name must exactly match the host name of your server<\/a>, you might note that I’m not using a www prefix here. This will allow me to re-use this same certificate for email and other things in theory, it also follows the no-www<\/a> approach. I opted to leave the challenge password blank<\/a>.<\/p>\n

The second step of the wizard on StartSSL for creating a certificate will ask for a cut & paste of the mydomain.ca.csr<\/code> we just created. Paste the entire contents of the file in, and move on to the next step where you should see that the request was received.<\/p>\n

Moving along the next step is to “Add Domains”, since we’ve only validated one domain this should be easy. As part of this process it will ask for one sub domain. I used “www” since that will still resolve correctly to the lowtek.ca domain.<\/p>\n

The remainder of the steps should be straight forward, you’ll arrive at the “Save Certificate” screen. You’ll want to save three things: 1)\u00a0Text box contents as mydomain.ca.crt, then save-as the 2) intermediate and 3) root CA certificates (last two should be sub.class1.server.ca.pem and\u00a0ca.pem respectively).<\/p>\n

Now we need to install into Apache2. I’ll assume you’re running Ubuntu.<\/p>\n

We’ll start by copying the .crt<\/code> and .pem<\/code> files we saved from the final step on StartSSL into the \/etc\/apache2\/ssl<\/code> directory.\u00a0We also want the .key<\/code> file that was created when we made our CSR copied to the same directory.<\/p>\n

Again I must credit jasoncodes.com<\/a>, this is almost verbatim from his site. Run the following as root.<\/p>\n

cd \/etc\/apache2\/ssl
\nmv ca.pem startssl.ca.crt
\nmv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
\ncat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
\ncat mydomain.ca.{key,crt} startssl.chain.class1.server.crt > mydomain.ca.pem
\nln -sf mydomain.ca.pem apache.pem
\nchown root:root *.crt *.key *.pem
\nchmod 640 *.key *.pem
\n<\/code>
\nNow we need to modify the apache config file\u00a0\/etc\/apache2\/sites-available\/ssl and add the following within the <VirtualHost> block:<\/p>\n

SSLEngine On
\nSSLCertificateFile \/etc\/apache2\/ssl\/mydomain.ca.crt
\nSSLCertificateKeyFile \/etc\/apache2\/ssl\/mydomain.ca.key
\nSSLCertificateChainFile \/etc\/apache2\/ssl\/startssl.chain.class1.server.crt<\/code><\/p>\n

Check that your Apache config parses as valid:<\/p>\n

apache2ctl -t<\/code><\/p>\n

And then restart Apache with the new config:<\/p>\n

sudo \/etc\/init.d\/apache2 reload<\/code><\/p>\n

Here is the the verification process\u00a0verbatim from jasoncodes.com<\/a>:<\/p>\n

Run the following after restarting Apache to check the certificate chain:<\/p>\n

echo HEAD \/ | openssl s_client -connect localhost:443 -quiet > \/dev\/null<\/code><\/p>\n

You should see something like:<\/p>\n

depth=2 \/C=IL\/O=StartCom Ltd.\/OU=Secure Digital Certificate Signing\/CN=StartCom Certification Authority
\nverify error:num=19:self signed certificate in certificate chain
\nverify return:0<\/code><\/p>\n

A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you’ll probably see something like:<\/p>\n

depth=0 \/description=12345-ABCDEF123456\/C=XX\/O=Persona Not Validated\/OU=StartCom Free Certificate Member\/CN=host.example.com\/emailAddress=hostmaster@example.com
\nverify error:num=20:unable to get local issuer certificate
\nverify return:1
\ndepth=0 \/description=12345-ABCDEF123456\/C=XX\/O=Persona Not Validated\/OU=StartCom Free Certificate Member\/CN=host.example.com\/emailAddress=hostmaster@example.com
\nverify error:num=27:certificate not trusted
\nverify return:1
\ndepth=0 \/description=12345-ABCDEF123456\/C=XX\/O=Persona Not Validated\/OU=StartCom Free Certificate Member\/CN=host.example.com\/emailAddress=hostmaster@example.com
\nverify error:num=21:unable to verify the first certificate
\nverify return:1<\/code><\/p><\/blockquote>\n

I was pleased to see that it all verified correctly for me. Visiting https:\/\/lowtek.ca<\/a> resulted in a green lock icon under Google Chrome<\/a>.<\/p>\n

The StartSSL certificate expires in 1 year, so next year around this time I’ll be doing the same process. There is another CA (AffirmTrust<\/a>)\u00a0I came across that offers free 3 year certificates, I have no experience with them but would be interested to hear if anyone tries them out. There is CACert<\/a> as well, but it doesn’t appear to be included in any of the browsers – limiting the usefulness of a certificate from them.<\/p>\n","protected":false},"excerpt":{"rendered":"

I own the domain lowtek.ca and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, … Continue reading “Ubuntu Apache2 “trusted” SSL Certificate from StartSSL”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12],"tags":[],"class_list":["post-1049","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1049","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1049"}],"version-history":[{"count":10,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1049\/revisions"}],"predecessor-version":[{"id":1060,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1049\/revisions\/1060"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1049"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1049"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1049"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}