HowTo Setup a Wildcard SSL Certificate on a Linux Apache Server Using OpenSSL

// Setting Up Wildcard SSL On Apache / Linux ///////////////////////////////////
// j0zf 2009.7.24

// HowTo ///////////////////////////////////////////////////////////////////////

>> Settup your DNS Zone file
 - Include an A name entry to your wildcard domain.
  - From my experience this cannot be a CNAME, it must be an A record with an 
  ip-address.
 Example Zone File Entry :
  *.yoursite.com. 14400 IN A your_servers_ip_address

>> Modify your /etc/httpd/conf/httpd.conf file
 - In your virtual host config add a wildcard 3rd level domain name entry as 
  your ServerAlias.
  (e.g. Change ServerAlias www.yoursite.com to ServerAlias *.yoursite.com )
 
 *** SNIPPET : /etc/httpd/conf/httpd.conf ***
<VirtualHost *:80>
  ServerName yoursite.com
  ServerAlias *.yoursite.com
  DocumentRoot /home/p2w/public_html
  ServerAdmin webmaster@yoursite.com
  ErrorLog logs/yoursite.com-error_log
  CustomLog logs/yoursite.com-access_log common
</VirtualHost>
 *** END SNIPPET : /etc/httpd/conf/httpd.conf *** 

 >> Also Modify your VirtualHost entry for port 443 (ssl / https)
 
  *** SNIPPET : /etc/httpd/conf/httpd.conf ***
<VirtualHost [dedicated ip address]:443>
  ServerName yoursite.com
  ServerAlias *.yoursite.com
  DocumentRoot /home/a_username/public_html
  ServerAdmin webmaster@yoursite.com
  UseCanonicalName off
  CustomLog logs/yoursite.com combined
  BytesLog logs/yoursite.com-bytes_log
  ScriptAlias /cgi-bin/ /home/a_username/public_html/cgi-bin/
  SSLEngine on
  SSLCertificateFile ssl/_.yoursite.com/_.yoursite.com.self-signed.crt
  SSLCertificateKeyFile ssl/_.yoursite.com/_.yoursite.com.key
  #SSLCACertificateFile ssl/_.yoursite.com/_.yoursite.com.cabundle
  ErrorLog logs/yoursite.com-ssl_data_log
  CustomLog logs/yoursite.com-ssl_log combined
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost> 
  *** END SNIPPET : /etc/httpd/conf/httpd.conf ***
   
>> Setup your SSL Cert with OpenSSL 
 >> First setup a self-signed certificate and certificate signing request.
  
  -- UNIX COMMANDS --
  mkdir /etc/httpd/ssl
  cd /etc/httpd/ssl
  mkdir _.yoursite.com
  cd _.yoursite.com
  touch _.yoursite.com.sh
  chmod +x _.yoursite.com.sh
  vi _.yoursite.com.sh
  
  *** FILE : _.yoursite.com.sh ***
#!/bin/bash  
## GENERATE A KEY AND A SELF-SIGNED CERT ##
openssl req
-x509 -nodes -days 365
-subj '/CN=*.yoursite.com/O=Your Company, Inc./OU=Hosting/C=US/ST=YourState/L=YourCity/emailAddress=your@emaiaddr.com'
-newkey rsa:1024 -keyout _.yoursite.com.key -out _.yoursite.com.self-signed.crt
## GENERATE A CERTIFICATE-SIGNING-REQUEST TO SEND TO A CERTIFICATE AUTHORITY ##
openssl req -new -key _.yoursite.com.key
-subj '/CN=*.yoursite.com/O=Your Company, Inc./OU=Hosting/C=US/ST=YourState/L=YourCity/emailAddress=your@emaiaddr.com'
-out _.yoursite.com.csr
  *** END FILE : _.yoursite.com.sh ***
  
  -- UNIX COMMANDS --
  ./_.yoursite.com.sh
  chmod -x _.yoursite.com.sh

>> Send your Certificate Signing Request (.csr) file to your SSL Certificate Authority (i.e Verisign, or GoDaddy for me, etc. )
 - purchase the cert from them.
 - paste them the contents of /etc/httpd/ssl/_.yoursite.com/_.yoursite.com.csr
 - follow their directions.

>> Your Certificate Authority will send you 2 files
 - 1st File : A new Certificate (.crt) file (generated by the "CA" Certificate Authority) 
  - put the contents of this file in a file named : 
  /etc/httpd/ssl/_.yoursite.com/_.yoursite.com.crt
  - In your httpd.conf file under the VirtualHost Section remove the self-signed part of your cert filename.
  from : SSLCertificateFile ssl/_.yoursite.com/_.yoursite.com.self-signed.crt
  to : SSLCertificateFile ssl/_.yoursite.com/_.yoursite.com.crt
  - 2nd File : A Certificate Authority Bundle filee (.cabundle)
  - put the contents of this file in a file named:
  /etc/httpd/ssl/_.yoursite.com/_.yoursite.com.cabundle
  - uncommet the #SSLCACertificateFile ssl/_.yoursite.com/_.yoursite.com.cabundle
  line in your httpd.conf file.
  from : #SSLCACertificateFile ssl/_.yoursite.com/_.yoursite.com.cabundle
  to : SSLCACertificateFile ssl/_.yoursite.com/_.yoursite.com.cabundle
   
>> Restart Apache
 -- Unix Command --
 service httpd restart
 
 

// Sources /////////////////////////////////////////////////////////////////////

http://www.madboa.com/geek/openssl/
http://www.openssl.org/docs/apps/req.html




Joseph Frazier | Create Your Badge

This page has been visited 21,705 times since July 27th, 2009

This is an ApogeeInvent Dynamic Website