Feature #70
Add SSL Certificate to ISPConfig Host on Ubuntu Server
Description
Before Beginning¶
ISPConfig has the ability to create "self-signed" certificates from the administration panel. This can be found at Sites-><_site-name_>->SSL. Creating a "self-signed" certificate from the administration panel is as easy as filling out the State, Locality, Organization, Organization Unit, Country, and Domain; then setting the "*Create Certificate*" from the SSL Action field. This action can also be done from the command-line as such:
cd /var/www/example.com/ssl/ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.csr
This will generate a Private Key (KEY) and a Certificate Signing Request (CSR)
If there is need for a legitimate SSL Certificate, the generated Certificate Signing Request (CSR) will be required to be sent to the Certificate Authority (CA) for signing. An SSL Certificate (CRT) will be sent back.
Setting Up The Certificate¶
If the CSR was generated using the administration panel, there is already a "self-signed" certificate in place, it isn't too important, but for safe measure backup the previous SSL Certificate. This will require sudo
or root
access:
mv /var/www/example.com/ssl/example.com.crt /var/www/example.com/ssl/example.com.crt_bak
Create the new SSL Certificate:
vi /var/www/example.com/ssl/example.com.crt
Copy the contents of the SSL Certificate that was sent back from the Certificate Authority and paste it into the
example.com.crt
file.
Setting Up StartSSL Root and Intermediate CA (Optional)¶
Next download StartSSL's Root CA and the Class1 Intermediate Server CA:
cd /var/www/example.com/ssl wget https://www.startssl.com/certs/ca.pem wget https://www.startssl.com/certs/sub.class1.server.ca.pem
(If you use a Class2 certificate, please download
sub.class2.server.ca.pem
instead of sub.class1.server.ca.pem
).
Rename both files:
mv ca.pem startssl.ca.crt mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
(Adjust the second command if you use a Class2 certificate.)
Some services require a .pem file:
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem chmod 600 ispserver.pem
(again, make sure you adjust the commands if you use a Class2 certificate)
Configure Apache to Use SSL Certificate¶
Open /etc/apache2/sites-available/example.com.vhost
:
vi /etc/apache2/sites-available/example.com.vhost
Add the line SSLCertificateChainFile /var/www/example.com/ssl/startssl.sub.class1.server.ca.crt
to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):
[...] # SSL Configuration SSLEngine On SSLCertificateFile /var/www/example.com/ssl/example.com.crt SSLCertificateKeyFile /var/www/example.com/ssl/ispserver.key ## must be re-added after an ISPConfig update!!! SSLCertificateChainFile /var/www/example.com/ssl/startssl.sub.class1.server.ca.crt [...]
(Adjust this if you use a Class2 certificate.)
Restart Apache afterwards:
/etc/init.d/apache2 restart
Updated by Daniel Curtis almost 12 years ago
- Estimated time set to 2.00 h
Instead of using the same StartSSL Intermediate CA file for each host use a symbolic link, as you only need one real copy between all hosts.
cd /var/www/example.com/ssl/ ln -s /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt
Updated by Daniel Curtis almost 10 years ago
- Project changed from 57 to GNU/Linux Administration
- Category set to Web Server