Creating a Simple Apache Certificate with CaCert
First of all go to the mod_ssl documentation for basic mod_ssl configuration. I will not go into mod_ssl, I'll just try to show you a way to get and install a CAcert certificate.
If you just want a certificate for a single site Apache server this is probably the simplest way to get a CAcert signed certificate. For the more complicated cases please have a look at ApacheServer and VhostsApache.
- These instructions should work with Apache 2.x on Unixes and Windows. Probably also on other systems.
Once Apache is running with mod_ssl you'll have to register the domain component of your webserver (that is "example.org" for the server "www.example.org") with your CAcert account. To do this go to CAcert homepage, log in, click "Domains -> Add" and follow the instructions there. If your Domain is shown as "verified" on "Domains -> Show" you can continue and generate a certificate for your server.
Get openssl if it is not already installed on your system. If you can't find it somewhere else you can try the openssl website for a binary version for Windows.
- Generate a certificate signing request (CSR) using the command:
openssl req -newkey rsa:2048 -subj /CN=<your sever's address here> -nodes -keyout <filename for your private key> -out <filename for the CSR>
For example openssl req -newkey rsa:2048 -subj /CN=www.example.org -nodes -keyout example_key.pem -out example_csr.pemgenerates a CSR for the server www.example.org in the file example_csr.pem and stores the corresponding private key unencrypted in the file example_key.pem.
Go to CACert, log in, and select "Server certificates -> New". If a Class 3 certificate is available for you I'd advise you to select a Class 3 certificate.
Use Copy/Paste to input your CSR (the content of example_csr.pem in the above example) into the big editor box. Be sure to include the header and footer lines ( -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- ) and check that after the paste operation the request has not been truncated.
Click on "Send" and your certificate will be generated. That is, if you did not make a mistake. If you made one, read the error message, try to understand what it wants to say to you and try again while skipping the mistake.
- Use Copy/Paste with your favourite editor to save the certificate to a file (let's call the file example_cert.pem).
- Move the private key and the certificate to a convenient location. Standard Apache installations provide the directories ssl.key for the private key and ssl.crt for the certificate in the configuration directory. If you want to keep the CSR for later reference (though you probably won't need it anymore) there also is a directory named ssl.csr.
If using a Class 3 certificate as proposed you'll need the certificate chain file. This is just the Class 3 root certificate and the Class 1 root certificate in PEM format concatenated. Do it yourself or download it from the attachments.
- Store the certificate chain file in the ssl.crt directory and let's call it CAcert_chain.pem for future reference.
- Now all that remains to be done is to correctly configure Apache's mod_ssl. To use the certificate set the following directives in your SSL-configuration:
SSLCertificateFile <Path to your certificate file>/example_cert.pem
SSLCertificateKeyFile <Path to your key file>/example_key.pem
SSLCertificateChainFile <Path to your chain file>/CAcert_chain.pem
- This is it. Restart your Apache and see if it works!
Renewing an existing certificate
To renew the certificate of an existing Apache configuration, you need to renew the certificate through the CAcert web interface, and then replace the existing certificate (in this example, <Path to your certificate file>/example_cert.pem) with the new certificate provided