Users of the Budget, Standard, Advanced and Corporate can make their domains accessible via https:// by installing a SSL certificate under ~/ssl/. This guide is relevant to SSL certificates purchased from a commercial certificate authorities (such as Thawte or GoDaddy), as well as self-signed certificates.

The alternative, free method (Let's Encrypt) is covered under: Setting up SSL/HTTPS with LetsEncrypt. This guide does not apply to users of Let's Encrypt.

Generating an RSA private key

First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.

  $ mkdir -m 0700 ~/ssl
  $ cd ~/ssl
  $ openssl genrsa -out key 2048
Generating a Certificate Signing Request (CSR)

The following command will generate a standard X.509 Certificate Signing Request ("CSR") which can be submitted to a certification authority (or signed by yourself). The protocol requires that the Common Name ("CN") match your Server Name setting (configurable from the Parameters section of the Control Panel or using conf set name in csoftadm).

  $ openssl req -new -key key -out csr
  Using configuration from /etc/ssl/openssl.cnf
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) AU: US
  State or Province Name (full name) Some-State: Georgia
  Organization Name (eg, company) Internet Widgits Pty Ltd: Pinhead Enterprizes
  Organizational Unit Name (eg, section) : electro-shock ward
  Common Name (eg, YOUR name) :
  Email Address :
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password : (enter)
  An optional company name :(enter)
Certificate signature

At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte. Alternatively you may sign the certificate yourself with the following command -

  $ openssl x509 -req -days 365 -in csr -signkey key -out cert

The -days argument refers to the validity period. In this example, the certificate would expire one year from now.

Enabling HTTPS service
Once the files cert, key (and pp if there is a passphrase) are placed in the ~/ssl/ directory, you can enable HTTPS service from csoftadm. If you are using the Control Panel, the option is located in Preferences. Alternatively, you can use the conf set ssl command in the Shell Interface.

It will take up to 30 minutes for the new certificate to be included in the web server configuration. If there is a problem with the SSL certificate, an error message will show up in /var/log/users/yourname and the file cert will be renamed to cert.rej.

Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You may run these checks manually using the following commands:

  # For RSA keys:
  $ openssl rsa -in key
  # For DSA keys:
  $ openssl dsa -in key
  # For keys which require a passphrase:
  $ openssl dsa -in key -passin file:pp
  # To read a X.509 certificate fingerprint:
  $ openssl x509 -in cert -fingerprint

The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is the most common cause of failure.

  # To read a X.509 certificate subject field:
  $ openssl x509 -in cert -subject

For the more adventurous, here is a little script that will read off lots of data, like above, on both a cert and a key.