SSL to Apache and Webmin using a valid certificate (non-self-signed)


I got tired of the errors, and didn’t want to add the self-signed CA to my browsers, so I set up a cert that is valid in all browsers.
The certificate I’m using is the free option from http://www.startssl.com/. For this to work, you do need to have control of a domain. I was hoping originally to use a dyndns.com url, but I cannot create a certificate for a domain I don’t own. So, I setup a subdomain with a CNAME to my dynamic DNS subdomain. This way my dynamic DNS continues to update, and I can have a valid certificate for the subdomain I own that gets directed to the correct IP through the CNAME.

First, I added the CNAME for the subdomain on my domain host.

Second, I signed up at StartSSL and made the cert for my owned subdomain.

They have you enter a password to secure the private key, then you can download it as ssl.key. Alternatively you can create your own key and CSR – that way your private key is never revealed outside your server. To create your own CSR do the following:

sudo openssl req -new -newkey rsa:4096 -nodes -sha256 -out server.csr -keyout server.key

If you create your own CSR and key, there is no need to unencrypt the key so you can skip the first 3 steps below.
After that the certificate is generated, and you can copy and paste that into a file we’ll call ssl.crt.
The third file we’ll need is the StartSSL Class 1 intermediary certificate from here.
I saved all these into ~/Documents/, then do the following:

sudo openssl rsa -in ssl.key -out ssl.key.insecure
sudo cp ssl.key ssl.key.secure
sudo cp ssl.key.insecure ssl.key
sudo cp ssl.key /etc/apache2/private/server.key
sudo cp ssl.crt /etc/apache2/cert/server.crt
sudo cp sub.class1.server.ca.pem /etc/apache2/cert/StartSSL_Class1.pem

Then we need to add the following to /etc/apache2/sites-available/default-ssl:

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateChainFile /etc/ssl/certs/StartSSL_Class1.pem

In order to enable forward secrecy for the majority of browsers, I highly recommend also adding the following lines to your default-ssl site file:

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"

Additonally, within Webmin Configuration -> SSL Encryption, the following items need to be set:

Private key file: /etc/ssl/private/server.key
Certificate file: /etc/ssl/certs/server.key
Additional certificate files: /etc/apache2/cert/StartSSL_Class1.pem

Then restart both daemons:

sudo service apache2 restart
sudo server webmin restart

Leave a Reply

Your email address will not be published.