This guide is aimed towards users of the Standard, Advanced (VPS) and Corporate (VPS) packages who wish to have their domain names accessible via https://. This involves the creation of a SSL certificate. Users can either generate and sign a certificate for themselves (some browers will consequently display a "self-signed certificate" warning), or purchase a certificate from a recognized authority such as Thawte.

Generating an RSA private key

First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.

  $ mkdir -m 0700 ~/ssl
  $ cd ~/ssl
  $ openssl genrsa -out key 2048
Generating a Certificate Signing Request (CSR)

The following command will generate a standard X.509 Certificate Signing Request ("CSR") which can be submitted to a certification authority (or signed by yourself). The protocol requires that the Common Name ("CN") match your Server Name setting (configurable from the Parameters section of the Control Panel or using conf set name in csoftadm).

  $ openssl req -new -key key -out csr
  Using configuration from /etc/ssl/openssl.cnf
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) AU: US
  State or Province Name (full name) Some-State: Georgia
  Organization Name (eg, company) Internet Widgits Pty Ltd: Pinhead Enterprizes
  Organizational Unit Name (eg, section) : electro-shock ward
  Common Name (eg, YOUR name) : pinhead.com
  Email Address : zapped@pinhead.com
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password : (enter)
  An optional company name :(enter)
Certificate signature

At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte. Alternatively you may sign the certificate yourself with the following command -

  $ openssl x509 -req -days 365 -in csr -signkey key -out cert

The -days argument refers to the validity period. In this example, the certificate would expire one year from now.

Enabling HTTPS service
Once the files cert, key (and pp if there is a passphrase) are placed in the ~/ssl/ directory, you can enable HTTPS service from csoftadm. If you are using the Control Panel, the option is located in Preferences. Alternatively, you can use the conf set ssl command in the Shell Interface.
Troubleshooting

It will take up to 30 minutes for the new certificate to be included in the web server configuration. If there is a problem with the SSL certificate, an error message will show up in /var/log/users/yourname and the file cert will be renamed to cert.rej.

Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You may run these checks manually using the following commands:

  # For RSA keys:
  $ openssl rsa -in key
  
  # For DSA keys:
  $ openssl dsa -in key
  
  # For keys which require a passphrase:
  $ openssl dsa -in key -passin file:pp
  
  # To read a X.509 certificate fingerprint:
  $ openssl x509 -in cert -fingerprint

The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is the most common cause of failure.

  # To read a X.509 certificate subject field:
  $ openssl x509 -in cert -subject

For the more adventurous, here is a little script that will read off lots of data, like above, on both a cert and a key.

Some helpful links