Project

General

Profile

Feature #70

Add SSL Certificate to ISPConfig Host on Ubuntu Server

Added by Daniel Curtis over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Web Server
Target version:
-
Start date:
02/15/2013
Due date:
% Done:

100%

Estimated time:
2.00 h
Spent time:

Description

Before Beginning

ISPConfig has the ability to create "self-signed" certificates from the administration panel. This can be found at Sites-><_site-name_>->SSL. Creating a "self-signed" certificate from the administration panel is as easy as filling out the State, Locality, Organization, Organization Unit, Country, and Domain; then setting the "*Create Certificate*" from the SSL Action field. This action can also be done from the command-line as such:

cd /var/www/example.com/ssl/
openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.csr

This will generate a Private Key (KEY) and a Certificate Signing Request (CSR)

If there is need for a legitimate SSL Certificate, the generated Certificate Signing Request (CSR) will be required to be sent to the Certificate Authority (CA) for signing. An SSL Certificate (CRT) will be sent back.

Setting Up The Certificate

If the CSR was generated using the administration panel, there is already a "self-signed" certificate in place, it isn't too important, but for safe measure backup the previous SSL Certificate. This will require sudo or root access:

mv /var/www/example.com/ssl/example.com.crt /var/www/example.com/ssl/example.com.crt_bak

Create the new SSL Certificate:

vi /var/www/example.com/ssl/example.com.crt

Copy the contents of the SSL Certificate that was sent back from the Certificate Authority and paste it into the example.com.crt file.

Setting Up StartSSL Root and Intermediate CA (Optional)

Next download StartSSL's Root CA and the Class1 Intermediate Server CA:

cd /var/www/example.com/ssl
wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

(If you use a Class2 certificate, please download sub.class2.server.ca.pem instead of sub.class1.server.ca.pem).

Rename both files:

mv ca.pem startssl.ca.crt
mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt

(Adjust the second command if you use a Class2 certificate.)

Some services require a .pem file:

cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem
chmod 600 ispserver.pem

(again, make sure you adjust the commands if you use a Class2 certificate)

Configure Apache to Use SSL Certificate

Open /etc/apache2/sites-available/example.com.vhost:

vi /etc/apache2/sites-available/example.com.vhost

Add the line SSLCertificateChainFile /var/www/example.com/ssl/startssl.sub.class1.server.ca.crt to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /var/www/example.com/ssl/example.com.crt
  SSLCertificateKeyFile /var/www/example.com/ssl/ispserver.key
  ## must be re-added after an ISPConfig update!!!
  SSLCertificateChainFile /var/www/example.com/ssl/startssl.sub.class1.server.ca.crt
[...]

(Adjust this if you use a Class2 certificate.)

Restart Apache afterwards:

/etc/init.d/apache2 restart

History

#1 Updated by Daniel Curtis over 7 years ago

  • Estimated time set to 2.00

Instead of using the same StartSSL Intermediate CA file for each host use a symbolic link, as you only need one real copy between all hosts.

cd /var/www/example.com/ssl/
ln -s /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt

#2 Updated by Daniel Curtis almost 7 years ago

  • Project changed from Website Hosting to 57

#3 Updated by Daniel Curtis over 5 years ago

  • Project changed from 57 to GNU/Linux Administration
  • Category set to Web Server

Also available in: Atom PDF