Users of the Budget, Standard, Advanced and Corporate can make their domains accessible via
https:// by installing a SSL certificate under
~/ssl/. This guide is relevant to SSL certificates purchased from a commercial certificate authorities (such as Thawte or GoDaddy), as well as self-signed certificates.
The alternative, free method (Let's Encrypt) is covered under: Setting up SSL/HTTPS with LetsEncrypt. This guide does not apply to users of Let's Encrypt.
First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.
$ mkdir -m 0700 ~/ssl $ cd ~/ssl $ openssl genrsa -out key 2048
The following command will generate a standard X.509 Certificate Signing Request ("CSR") which can be submitted to a certification authority (or signed by yourself). The protocol requires that the Common Name ("CN") match your Server Name setting (configurable from the Parameters section of the Control Panel or using
conf set name in csoftadm).
$ openssl req -new -key key -out csr Using configuration from /etc/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) AU: US State or Province Name (full name) Some-State: Georgia Organization Name (eg, company) Internet Widgits Pty Ltd: Pinhead Enterprizes Organizational Unit Name (eg, section) : electro-shock ward Common Name (eg, YOUR name) : pinhead.com Email Address : firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : (enter) An optional company name :(enter)
At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte. Alternatively you may sign the certificate yourself with the following command -
$ openssl x509 -req -days 365 -in csr -signkey key -out cert
The -days argument refers to the validity period. In this example, the certificate would expire one year from now.
It will take up to 30 minutes for the new certificate to be included in the web server configuration. If there is a problem with the SSL certificate, an error message will show up in /var/log/users/yourname and the file cert will be renamed to cert.rej.
Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You may run these checks manually using the following commands:
# For RSA keys: $ openssl rsa -in key # For DSA keys: $ openssl dsa -in key # For keys which require a passphrase: $ openssl dsa -in key -passin file:pp # To read a X.509 certificate fingerprint: $ openssl x509 -in cert -fingerprint
The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is the most common cause of failure.
# To read a X.509 certificate subject field: $ openssl x509 -in cert -subject
For the more adventurous, here is a little script that will read off lots of data, like above, on both a cert and a key.