Configuring TLS/SSL in Ubuntu 10.04 LTS (Lucid Lynx) is a breeze. This post will outline the series of steps that are required to SSL up and running. Additionally, it appears as though the long-standing limitation of requiring different IP’s or different ports when configuring SSL using Name-Based Virtual Hosts is no longer a limitation. This is certainly great news indeed.

Overview

To set up a secure server using SSL, public key cryptography is used to create a public and private key pair. The certificate request (including the public key), proof of identity, and payment is sent to a Certificate Authority (CA). The CA verifies the certificate request and the identity of the requester. Then, a certificate is sent back to the requester.

One common (and expensive) Certificate Authority is Verisign. When a browser visits a website that is using SSL, the browser checks that the Certificate Authority that signed the request is in its’ list of pre-approved CA’s. If it is and if the Common Name on the certificate matches the domain name, then a warning is not displayed to the user. However, if the certificate is not signed by one of the browser’s built-in CA’s or if the domain on the certificate does not match, then a large warning is displayed to the user. In this case, most internet users will immediately leave the site. Typically, this is sub-optimal.

Alternatively, if displaying a warning to users is not an issue (i.e. testing), then a self-signed certificate can be created. Once a self-signed certificate or a signed certificate from the CA if obtained, it will need to be installed on the server.

Installing the Required Packages

First off, the package that will be required for SSL to work will need to be installed. It is assumed that the web server is already installed, configured, and running. If not, there are many greate guides on the internet for this already.

Perform the following command to install openssl:

Generating a Certificate Signing Request

Whether the certificate is being obtained from a CA or a self-signed certificate is being created, the first step is to generate a key. To generate the Certificate Signing Request (CSR), create a key (e.g. server.key).

Run the following command from a terminal prompt to create the key:

Ensure the server.key file is only readable by root:

After the key is created, the Certificate Signing Request (CSR) is created using the key. This will require the following information:

  • Country Name
  • State or Province Name
  • Locality Name
  • Organization Name
  • Organizational Unit Name
  • Common Name (must match domain name e.g. www.mysecureserver.com)
  • Email Address
  • Challenge Password
  • Company Name

If the Common Name does not match the DNS name or the IP address of the web server, then the client will get a “domain mismatch” error. Additionally, the default values for the prompts are stored in /etc/ssl/openssl.cnf. Therefore, if there are a large number of certificate signing requests that will need to be created then appropriate defaults can be set.

To create the CSR, run the following command:

Creating/Obtaining a Certificate

The CSR file is now submitted to the Certificate Authority (CA) for processing. The CA will use the CSR file and issue the certificate. Alternatively, a self-signed certificate using this CSR can be created using the following command:

The previous command will prompt for a pass-phrase if using the secure key. Otherwise, if a pass-phrase was not used, then it will not. Once the correct pass-phrase is entered, the certificate will be created and it will be stored in the server.crt file.

Installing the Certificate and Key Files

To install the certificate and key files, perform the following:

Activating SSL within Apache

To enable the SSL module within Apache, perform the following:

Enable SSL virtual hosts within the /etc/apache2/ports.conf file:

Creating an SSL Name-Based Virtual Host

Create a SSL Name Based Virtual Host by creating a virtual host file in /etc/apache2/sites-available/:

Enable the site within Apache:

If a key was used that has pass-phrase, it will be requested every time the web server (Apache) starts. Otherwise, it will not.