{"id":657,"date":"2017-01-19T18:53:45","date_gmt":"2017-01-19T16:53:45","guid":{"rendered":"http:\/\/helia.ee\/koolitus\/?page_id=657"},"modified":"2017-01-19T18:53:45","modified_gmt":"2017-01-19T16:53:45","slug":"debian-8-how-to-create-a-ssl-certificate-on-apache-for-debian-8","status":"publish","type":"page","link":"https:\/\/helia.ee\/koolitus\/?page_id=657","title":{"rendered":"Debian 8 &#8211; How To Create a SSL Certificate on Apache for Debian 8"},"content":{"rendered":"<h3 id=\"introduction\">Introduction<\/h3>\n<p>This tutorial walks you through the setup and configuration of an Apache server secured with an SSL certificate. By the end of the tutorial, you will have a server accessible via HTTPS.<\/p>\n<p>SSL is based on the mathematical intractability of resolving a large integer into its also-large prime factors. Using this, we can encrypt information using a private-public key pair. Certificate authorities can issue SSL certificates that verify the authenticity of such a secured connection, and on the same note, a self-signed certificate can be produced without third-party support.<\/p>\n<p>In this tutorial, we will generate a self-signed certificate, make the necessary configurations, and test the results. Self-signed certificates are great for testing, but will result in browser errors for your users, so they&#8217;re not recommended for production.<\/p>\n<p>If you&#8217;d like to obtain a paid certificate instead, please see <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority\">this tutorial<\/a>.<\/p>\n<div data-unique=\"prerequisites\"><\/div>\n<h2 id=\"prerequisites\">Prerequisites<\/h2>\n<p>To follow this tutorial, you will need:<\/p>\n<ul>\n<li>One fresh Debian 8 Droplet<\/li>\n<li>A sudo non-root user, which you can set up by following Steps 2 and 3 of <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/initial-server-setup-with-debian-8\">this tutorial<\/a><\/li>\n<li>OpenSSL installed and updated (should be installed by default)<\/li>\n<\/ul>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo apt-get update<\/li>\n<li class=\"line\">sudo apt-get upgrade openssl<\/li>\n<\/ul>\n<p>You may want a second computer with OpenSSL installed, for testing purposes:<\/p>\n<ul>\n<li>Another Linux Droplet<\/li>\n<li>Or, a Unix-based local system (Mac, Ubuntu, Debian, etc.)<\/li>\n<\/ul>\n<div data-unique=\"step-1-\u2014-install-apache\"><\/div>\n<h2 id=\"step-1-\u2014-install-apache\">Step 1 \u2014 Install Apache<\/h2>\n<p>In this step, we will use a built-in <em>package installer<\/em> called <code>apt-get<\/code>. It simplifies package management drastically and facilitates a clean installation.<\/p>\n<p>In the link specified in the prerequisites, you should have updated <code>apt-get<\/code> and installed the <code>sudo<\/code>package, as unlike other Linux distributions, Debian 8 does not come with <code>sudo<\/code> installed.<\/p>\n<p>Apache will be our HTTPS server. To install it, run the following:<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo apt-get install apache2<\/li>\n<\/ul>\n<div data-unique=\"step-2-\u2014-enable-the-ssl-module\"><\/div>\n<h2 id=\"step-2-\u2014-enable-the-ssl-module\">Step 2 \u2014 Enable the SSL Module<\/h2>\n<p>In this section, we will enable SSL on our server.<\/p>\n<p>First, enable the Apache SSL module.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo a2enmod ssl<\/li>\n<\/ul>\n<p>The default Apache website comes with a useful template for enabling SSL, so we will activate the default website now.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo a2ensite default-ssl<\/li>\n<\/ul>\n<p>Restart Apache to put these changes into effect.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo service apache2 reload<\/li>\n<\/ul>\n<div data-unique=\"step-3-\u2014-create-a-self-signed-ssl-certificate\"><\/div>\n<h2 id=\"step-3-\u2014-create-a-self-signed-ssl-certificate\">Step 3 \u2014 Create a Self-Signed SSL Certificate<\/h2>\n<p>First, let&#8217;s create a new directory where we can store the private key and certificate.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo mkdir \/etc\/apache2\/ssl<\/li>\n<\/ul>\n<p>Next, we will request a new certificate and sign it.<\/p>\n<p>First, generate a new certificate and a private key to protect it.<\/p>\n<ul>\n<li>The <code>days<\/code> flag specifies how long the certificate should remain valid. With this example, the certificate will last for one year<\/li>\n<li>The <code>keyout<\/code> flag specifies the path to our generated key<\/li>\n<li>The <code>out<\/code> flag specifies the path to our generated certificate<\/li>\n<\/ul>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo openssl req -x509 -nodes -days <span class=\"highlight\">365<\/span> -newkey rsa:2048 -keyout \/etc\/apache2\/ssl\/<span class=\"highlight\">apache.key<\/span> -out \/etc\/apache2\/ssl\/<span class=\"highlight\">apache.crt<\/span><\/li>\n<\/ul>\n<p>Invoking this command will result in a series of prompts.<\/p>\n<ul>\n<li><strong>Common Name<\/strong>: Specify your server&#8217;s IP address or hostname. This field matters, since your certificate needs to match the domain (or IP address) for your website<\/li>\n<li>Fill out all other fields at your own discretion.<\/li>\n<\/ul>\n<p>Example answers are shown in <span class=\"highlight\">red<\/span> below.<\/p>\n<div class=\"secondary-code-label \" title=\"Interactive\">Interactive<\/div>\n<pre class=\"code-pre \"><code>You are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n\u2014\u2014-\r\nCountry Name (2 letter code) [AU]:<span class=\"highlight\">US<\/span>\r\nState or Province Name (full name) [Some-State]:<span class=\"highlight\">New York<\/span>\r\nLocality Name (eg, city) []:<span class=\"highlight\">NYC<\/span>\r\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:<span class=\"highlight\">DigitalOcean<\/span>\r\nOrganizational Unit Name (eg, section) []:<span class=\"highlight\">SSL Certificate Test<\/span>\r\nCommon Name (e.g. server FQDN or YOUR name) []:<span class=\"highlight\">example.com<\/span>               \r\nEmail Address []:<span class=\"highlight\">test@example.com<\/span>\r\n<\/code><\/pre>\n<p>Set the file permissions to protect your private key and certificate.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo chmod 600 \/etc\/apache2\/ssl\/*<\/li>\n<\/ul>\n<p>For more information on the three-digit permissions code, see the tutorial on <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/linux-permissions-basics-and-how-to-use-umask-on-a-vps\">Linux permissions<\/a>.<\/p>\n<p>Your certificate and the private key that protects it are now ready for Apache to use.<\/p>\n<div data-unique=\"step-4-\u2014-configure-apache-to-use-ssl\"><\/div>\n<h2 id=\"step-4-\u2014-configure-apache-to-use-ssl\">Step 4 \u2014 Configure Apache to Use SSL<\/h2>\n<p>In this section, we will configure the default Apache virtual host to use the SSL key and certificate. After making this change, our server will begin serving HTTPS instead of HTTP requests for the default site.<\/p>\n<p>Open the server configuration file using <code>nano<\/code> or your favorite text editor.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo nano \/etc\/apache2\/sites-enabled\/default-ssl.conf<\/li>\n<\/ul>\n<p>Locate the section that begins with <code>&lt;VirtualHost _default_:443&gt;<\/code> and make the following changes.<\/p>\n<ul>\n<li>Add a line with your server name directy below the <code>ServerAdmin<\/code> email line. This can be your domain name or IP address:<\/li>\n<\/ul>\n<div class=\"code-label \" title=\"\/etc\/apache2\/sites-enabled\/default\">\/etc\/apache2\/sites-enabled\/default<\/div>\n<pre class=\"code-pre \"><code>ServerAdmin webmaster@localhost\r\nServerName <span class=\"highlight\">example.com<\/span>:443\r\n<\/code><\/pre>\n<ul>\n<li>Find the following two lines, and update the paths to match the locations of the certificate and key we generated earlier. If you purchased a certificate or generated your certificate elsewhere, make sure the paths here match the actual locations of your certificate and key:<\/li>\n<\/ul>\n<div class=\"code-label \" title=\"\/etc\/apache2\/sites-enabled\/default\">\/etc\/apache2\/sites-enabled\/default<\/div>\n<pre class=\"code-pre \"><code> SSLCertificateFile <span class=\"highlight\">\/etc\/apache2\/ssl\/apache.crt<\/span>\r\n SSLCertificateKeyFile <span class=\"highlight\">\/etc\/apache2\/ssl\/apache.key<\/span>\r\n<\/code><\/pre>\n<p>Once these changes have been made, check that your virtual host configuration file matches the following.<\/p>\n<div class=\"code-label \" title=\"\/etc\/apache2\/sites-enabled\/default-ssl\">\/etc\/apache2\/sites-enabled\/default-ssl<\/div>\n<pre class=\"code-pre \"><code>&lt;IfModule mod_ssl.c&gt;\r\n    &lt;VirtualHost _default_:443&gt;\r\n        ServerAdmin webmaster@localhost\r\n        ServerName <span class=\"highlight\">example.com:443<\/span>\r\n        DocumentRoot \/var\/www\/html\r\n\r\n        . . .\r\n        SSLEngine on\r\n\r\n        . . .\r\n\r\n        SSLCertificateFile <span class=\"highlight\">\/etc\/apache2\/ssl\/apache.crt<\/span>\r\n        SSLCertificateKeyFile <span class=\"highlight\">\/etc\/apache2\/ssl\/apache.key<\/span>\r\n<\/code><\/pre>\n<p>Save and exit the file.<\/p>\n<p>Restart Apache to apply the changes.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">sudo service apache2 reload<\/li>\n<\/ul>\n<p>To learn more about configuring Apache virtual hosts in general, see <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts\">this article<\/a>.<\/p>\n<div data-unique=\"step-5-\u2014-test-apache-with-ssl\"><\/div>\n<h2 id=\"step-5-\u2014-test-apache-with-ssl\">Step 5 \u2014 Test Apache with SSL<\/h2>\n<p>In this section, we will test your SSL connection from the command line.<\/p>\n<p>You can run this test from either (1) your local Unix-based system, (2) another Droplet, or (3) the same Droplet. If you run it from an external system you&#8217;ll confirm that your site is reachable over the public Internet.<\/p>\n<p>Open a connection via the HTTPS 443 port.<\/p>\n<ul class=\"prefixed\">\n<li class=\"line\">openssl s_client -connect <span class=\"highlight\">your_server_ip<\/span>:443<\/li>\n<\/ul>\n<p>Scroll to the middle of the output (after the key), and you should find the following:<\/p>\n<div class=\"secondary-code-label \" title=\"Output\">Output<\/div>\n<pre class=\"code-pre \"><code>\u2014-\r\nSSL handshake has read 3999 bytes and written 444 bytes\r\n\u2014-\r\n\r\n. . .\r\n\r\nSSL-Session:\r\n\r\n. . .\r\n<\/code><\/pre>\n<p>Of course, the numbers are variable, but this is success. Congratulations!<\/p>\n<p>Press <code>CTRL+C<\/code> to exit.<\/p>\n<p>You can also visit your site in a web browser, using HTTPS in the URL (<code>https:\/\/example.com<\/code>). Your browser will warn you that the certificate is self-signed. You should be able to view the certificate and confirm that the details match what you entered in Step 3.<\/p>\n<div data-unique=\"conclusion\"><\/div>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>This concludes our tutorial, leaving you with a working Apache server, configured securely with an SSL certificate. For more information on working with OpenSSL, see <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs\">the OpenSSL Essentials article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction This tutorial walks you through the setup and configuration of an Apache server secured with an SSL certificate. By the end of the tutorial, you will have a server accessible via HTTPS. SSL is based on the mathematical intractability of resolving a large integer into its also-large prime factors. Using this, we can encrypt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":621,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-657","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=657"}],"version-history":[{"count":1,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/657\/revisions"}],"predecessor-version":[{"id":658,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/657\/revisions\/658"}],"up":[{"embeddable":true,"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=\/wp\/v2\/pages\/621"}],"wp:attachment":[{"href":"https:\/\/helia.ee\/koolitus\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}