Tag Archives: postfix

Add StartSSL (StartCom) certificates to your Apache website (and postfix)

Today we’re gonna add a SSL certificate from StartSSL. They have completely free certificates that will have to be renewed every year.  There is not much to it really when you know what to do, but when you don’t, it’s a hassle.
This is what I came up with to make it work:

Enter StartSSL and follow their guide. It’s quite straight forward. In this example we are going to create a certificate for ssl.jima.cat.

StartSSL will at one point ask you to create a private key for your certificate with openssl. The command will ask you some questions and when it asks for your FQDN you set it (in this example) to ssl.jima.cat.

openssl req -newkey rsa:2048 -keyout private.key -out ssl.jima.csr

This will create that private key for you. Though this commands will force you to add a password phrase to your certificate. This will make Apache to ask you to type in the password every time you restart your web server. If you don’t want this (I don’t) you type the very same command as above adding the command -nodes

openssl req -nodes -newkey rsa:2048 -keyout private.key -out ssl.jima.csr

You will have an output like this and two new files:

Generating a 2048 bit RSA private key ..................................................................+++ .....................................................................................................................................+++
writing new private key to 'private.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Barcelona
Locality Name (eg, city) []:Barcelona
Organization Name (eg, company) [Internet Widgits Pty Ltd]:jima
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: ssl.jima.cat
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 

Now you can copy and paste the content of your .csr file and generate your certificate on the StartSSL site. Download the ssl.jima.cat.zip and .pem files.

Extract the content of the ssl.jima.cat.zip. Then extract the ApacheServer.zip and remove all zip files (rm *.zip) as they are not needed any more (unless you need them for other stuff than your apache server).

You need to merge these two certificates into one file or you will have problems with certain browsers not recognizing nor accepting your certificate (like Chrome on your Android phone).

cat 1_root_bundle.crt 2_mail.jima.cat.crt > 1_and_2_merged.crt

Now you have everything you need to get secure with your Apache server. Edit your httpd.conf file and add the following:

<VirtualHost *:443 >
   ServerName "ssl.jima.cat" 
 
   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
   SSLCertificateFile /etc/ssl/ssl.jima.cat.pem
   SSLCertificateKeyFile /etc/ssl/private.key
   SSLCertificateChainFile /etc/ssl/1_and_2_merged.crt
 
</VirtualHost >

 

NOTE:
You can use the same files in order to create a valid certificate for PostFix as well:

cat private.key ssl.jima.cat.pem 2_mail.jima.cat.crt 1_root_bundle.crt >postfix.cert

 

That’s all for today folks.
/jima