#SSL_HowTo
How to guide for enabling SSL and generating self-signed certificates for Ubuntu.
sudo a2enmod ssl
Generate a key (You will be prompted to create a pass phrase, setting one will require you enter the passphrase anytime the secure service is restart. Not setting one is more convienent, but less secure)
sudo openssl genrsa -des3 -out server.key 2048
sudo openssl rsa -in server.key -out server.key.insecure
sudo mv server.key server.key.secure
sudo mv server.key.insecure server.key
sudo openssl req -new -sha256 -key server.key -out server.csr
You'll be prompted to answer some questions:
Country [US]
State/Province [District of Columbia]
Locality [Washington]
Organization [GWU Libraries]
Organizational Unit [Scholarly Technology Group]
Common Name [DNS Name]
Email Address [gwlib-root@groups.gwu.edu]
Leave the challange section blank in most cases.
If you're getting a proper certificate, send the csr file to a Certificate Authority (CA) and they will send back a certificate. At GWU, email it to ithelp@gwu.edu and request an InCommon signed certificate.
If you're working in development and would prefer to sign the certificate yourself, do the following
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/host-ssl
(where 'host' is domain name i.e. library.gwu.edu-ssl)
<VirtualHost *:443>
ServerName example.com:443
...
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
...
</VirtualHost>
##Enable the virtual host file
sudo a2ensite host-ssl
(as named earlier when you copied the default-ssl file, i.e. library.gwu.edu-ssl)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URL} [R=301,L]
sudo service apache2 restart
To work across all browser/os combinations (I'm looking at you Chrome/Android) install an intermediary certificate. For sites with a cert from GW:
Download the intermediary cert provided by GWU (usually in the same email as the root certificate: the download option labelled "X509 Intermediates/root only, Base64 encoded").
Then add the following directive after the certificate and key files: SSLCertificateChainFile /etc/ssl/intermediate/library_gwu_edu_interm.cer
.
If you're using a certificate signed by in-common, download their intermediary bundle and include it in your chain. The bundle is available at http://www.incommon.org/certificates/repository/sha384%20Intermediate%20cert.txt
. Rename this certificate and move it to /etc/ssl/intermediate/incommon-ssl.ca-bundle
. Then add the following directive after the certificate and key files: /etc/ssl/intermediate/incommon-ssl.ca-bundle
.