SSL is a protocol for making secure, authenticated connections across an insecure network like the Internet. It encrypts network traffic, so that an attacker cannot listen in on the network and capture sensitive information such as passwords and credit card numbers. It allows servers to authenticate themselves to clients, so that a web browser can be sure that it is connecting to the website that is thinks it is. It also allows clients to authenticate themselves to servers, which can be used to replace usernames and passwords with digital certificates.
The SSL protocol can be used to encrypt any kind of data that would normally travel over an unencrypted TCP connection. However, in this chapter we are only concerned with the encryption of web page requests and responses, which is done by encrypting HTTP protocol data with SSL. The result is a new protocol called HTTPS, which is used by all websites that want to operate securely. Almost every browser supports the HTTPS protocol, and uses it when retrieving URLs that start with https:// instead of the normal http://
Generating a Self-Signed Certificate
- 1. Login to your system as root.2. Change to the directory in which you want to store your certificate files,
- 3. Run the command:
openssl req -newkey rsa:4096 -x509 -nodes -out cert.pem -keyout key.pem
This command will ask the following questions in order to obtain attributes for your new key. To leave any of the requested fields blank, just enter a single period. NONE of the fields in the certificate matter except Common Name. That field MUST contain the URL of your site or you will get an “Invalid Certificate Error” I would suggest your key include ALL subdomains as well, unless you have a reason to generate a separate cert for something such as mail.domain.tld To include all subdomains use a wildcard ie. *.domain.tld
|Field Name||Description||Example (As used in my cert)|
|Country Name||Your Country Code [US]||US|
|State or Province Name||Your State||Denial|
|Locality Name||City Name||Confusion|
|Organization Name||Company Name||Dewey Chetum & Howe|
|Organizational Unit Name||Dept Name||Misinformation|
|Common Name||This is the URL of your site! Wildcards are OK||*.paranoidpress.com|
|Email Address||Administrator Contact firstname.lastname@example.org|
When all the questions have been answered, the files cert.pem and key.pem will be created in the current directory. These are your website’s certificate and its private key respectively. Because the private key must be kept secure to ensure the security of SSL connections to your server, change its ownership to the user that Apache runs as, and set it’s permission so no other user can read it with the commands.
chown www-data:www-data key.pem
chmod 600 key.pem
Installing the Self-Signed Certificate
Now that a certificate and private key have been created, you are ready to configure your web server to use SSL. The best way to do this is to create a new virtual server that handles all requests to port 443 (the HTTPS port) in SSL mode. This way any existing virtual servers on your system will not be effected. The steps to follow are :
In the webmin Apache Webserver module, click on the
Create virtual host tab.
Change Port to
If you want the pages that browsers see when connecting in SSL mode to be the same as those that they see when making a normal HTTP connection, enter the document root directory for your default server into the Document Root field. Otherwise, you can enter a different directory so that clients will see different pages when making HTTPS requests.
Create Now button.
Global Configuration tab, check the
ssl box, and click
Enable Selected Modules.
Back at the main Apache Webserver module click on the new
Virtual Server (the one that handles port 443) You should see an
SSL Options Icon. >Click it!<
SSLv3 (less secure connection protocols)
Enter the full path to the cert.pem and key.pem files
In the Server Name field, enter the same hostname that you specified for the Common Name when creating the SSL certificate. (without the wildcard!)
Create button to have the new virtual server added to your Apache configuration. An icon for it will be added to the module’s main page.
Click on the icon for your new server to go to the virtual server options page. An icon labelled SSL Options should be visible – if not, either your Apache webserver does not have the mod_ssl module, or Webmin hasn’t detected it yet.
Click on the
SSL Options icon to bring up the page shown in the screenshot below.
Change the Enable SSL? field to
Yes This tells Apache that the virtual server should treat all connections as HTTPS.
DE-select SSL protocols
SSLv3 (less secure protocols)
In the Certificate/private key file field, de-select Default and enter the full path to the cert.pem file that you created earlier.
In the Private key file field, enter the full path to the key.pem file. If you only have a single file that contains both the certificate and private key, you can leave this field set to Default and enter its path into the field above.
Apply Changes link back on the virtual server options page.
Unless an error is reported when applying the configuration, your webserver should now be running in SSL mode on port 443. Test it out by using a web browser to go to the URL of your site. If you receive a warning notice that the connection is untrusted then it worked! Click on the I Understand the risks arrow, add an exception and view the certificate. No one else has to trust the origin of this cert but you will because YOU MADE IT. Now you can enjoy secure communication with your server!