#SSL_HowTo

How to guide for enabling SSL and generating self-signed certificates for Ubuntu.

Enable Mod SSL

sudo a2enmod ssl

Generate a key (You will be prompted to create a pass phrase, setting one will require you enter the passphrase anytime the secure service is restart. Not setting one is more convienent, but less secure)

sudo openssl genrsa -des3 -out server.key 2048

Create insecure key

sudo openssl rsa -in server.key -out server.key.insecure

Reverse the key names

sudo mv server.key server.key.secure
sudo mv server.key.insecure server.key

Create a Certificate Signing Request (CSR)

sudo openssl req -new -sha256 -key server.key -out server.csr

You'll be prompted to answer some questions:

Country [US]
State/Province [District of Columbia]
Locality [Washington]
Organization [GWU Libraries]
Organizational Unit [Scholarly Technology Group]
Common Name [DNS Name]
Email Address [gwlib-root@groups.gwu.edu]

Leave the challange section blank in most cases.

Get a signature for your certificate.

If you're getting a proper certificate, send the csr file to a Certificate Authority (CA) and they will send back a certificate. At GWU, email it to ithelp@gwu.edu and request an InCommon signed certificate.

Self Signing

If you're working in development and would prefer to sign the certificate yourself, do the following

sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Install SSL certs

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

Configure Virtual Host

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/host-ssl (where 'host' is domain name i.e. library.gwu.edu-ssl)

Configure the following in your virtual host file

<VirtualHost *:443>
ServerName example.com:443
...
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
...
</VirtualHost>

##Enable the virtual host file sudo a2ensite host-ssl (as named earlier when you copied the default-ssl file, i.e. library.gwu.edu-ssl)

(Optional) Add the following to your .htaccess file to rewrite traffic to http to https

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URL} [R=301,L]

Restart Apache2

sudo service apache2 restart

Test and verify your conf

GWU Intermediary

To work across all browser/os combinations (I'm looking at you Chrome/Android) install an intermediary certificate. For sites with a cert from GW: Download the intermediary cert provided by GWU (usually in the same email as the root certificate: the download option labelled "X509 Intermediates/root only, Base64 encoded"). Then add the following directive after the certificate and key files: SSLCertificateChainFile /etc/ssl/intermediate/library_gwu_edu_interm.cer.

InCommon Intermediary

If you're using a certificate signed by in-common, download their intermediary bundle and include it in your chain. The bundle is available at http://www.incommon.org/certificates/repository/sha384%20Intermediate%20cert.txt. Rename this certificate and move it to /etc/ssl/intermediate/incommon-ssl.ca-bundle. Then add the following directive after the certificate and key files: /etc/ssl/intermediate/incommon-ssl.ca-bundle.