SSL Certificates

[Ref: OpenBSD FAQ | mod_ssl/ssl_faq.html | /var/www/conf/httpd.conf]

SSL Communications assume the server has an authentication certificate which acts as a verification for whom the server publishes itself to be, and provides an envelope for the server’s public key with which clients can encrypt communications bound for the server.

Refer our the guide on generating SSL Certificates in OpenBSD.

Generate/copy the key/certificate pair to your host directories (shown below) into the correct

Certificate Location

When first getting into SSL Certificates, use the filenames in the standard configuration files, this will minimise the number of configuration changes you need to make and you can ‘customise’ once you have a better understanding.

$ grep SSLCertificate /var/www/conf/httpd.conf

File extract: /var/www/conf/httpd.conf

SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key

Copy your generated certificates into the above locations and restart Apache with SSL support to verify that our configuration changes/certificates are correct.

e.g.

$ sudo apachectl stop && sudo apachectl startssl

Virtual Hosts

Server CRTs for Virtual sites can be generated using the same above process, except you choose a different name for the CSR and CRT. One nice convention is to use the domain name of the site, for example:

Within the Virtual Host configuration you will then need to specify the appropriate SSL Directive.

NameVirtualHost 192.168.101.49:* ServerAdmin samt@qsc.com DocumentRoot /var/www/twig ServerName virtualsite.com ErrorLog logs/virtualsite.com-error_log CustomLog logs/virtualsite.com-access_log common SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/ssl/virtualsite.com.crt SSLCertificateKeyFile /etc/ssl/private/server.key

Certificate Validation

Our guide on generating SSL Certificates in OpenBSD has some validation testing, and external resources can also be used for testing SSL Certificates for websites:

https://www.ssllabs.com/ssltest/index.html has a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet