Ssl – How to install a default ssl cert for apache on debian

apache-2.2sslssl-certificate

Learning linux skills…please be patient!

I have found lots of tutorials on installing a cert for a single site but not a default.

I have a wildcard cert for my domain. I had support install this cert installed on a server. Since I am learning linux server skills I want to install this on a Debian server with Apache. I want it to be the default ssl cert for all sites regardless of domain name unless they have their own ssl cert.

The place where I bought the cert has text that I can copy and paste for:

  • Server Certificate
  • Intermediate Certificate
  • Root Certificate

I have found the sites-enabled and sites-available folders with various files. I have also found the ssl cert folder.

I am finding different tutorials that have terms like private key, SSL cert, intermediate cert, etc. It seems that there are a few terms that are used interchangeably.

I think the process is:

  1. Create files (keys/certs) with a certain owner and permission in
    the certs folder.
  2. Edit default site configuration data in either the sites-available
    or sites-enabled folders or both.
  3. Restart Apache.

My questions:

  1. Are my steps above correct?
  2. What sections of my cert correspond to what file names in the certs
    folder?
  3. What do I add for a default ssl virtual host? Does this go in the sites-available or sites-enabled folder or both?

I realize that I don't know some things…What else do I need to know?

PS. ISPConfig is installed on this server but there does not seem to be a place to do what I want to do. I will eventually want to know how to create a site specific ssl cert as well.

Best Answer

background

using sites-available in Debian

There are a variety of resources on how to setup sites in Debian. You should create your config files for each virtual host in sites-available and symlink it into sites-enabled. Debian provides the a2ensite command to do those symlinks for you.

adding global directives

You could edit the httpd.conf to add your global directives, but this will make upgrades more tedious because you might need to remerge your config changes into an newer httpd.conf from the "factory". You can use a similar technique as for your sites to add a configuration file to /etc/apache2/mods-available. Once you create a config in /etc/apache2/mods-available the user a2enmod to enable it.

configuring SSL in apache

There are a few directives you need to tell apache where to find your certificate. Your cert provider should have given you instructions on which of your files line up with which of these directives:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateChainFile /etc/ssl/certs/foo-chain-bundle.pem

The first two are definitely required while the third, SSLCertificateChainFile is only needed with certain SSL certificate providers.

answers to your exact questions

Are my steps above correct?

You've got the overall process right, but it seems like you are vague on the details.

Using root or the apache user (which could be apache2 for you) for your config files should be fine. Serving files from the apache user is a good practice.

What sections of my cert correspond to what file names in the certs folder?

See above and reread the docs from your SSL certificate provider.

What do I add for a default ssl virtual host? Does this go in the sites-available or sites-enabled folder or both?

I would suggest you put any global configurations into your own "mod" as detailed above.

Related Topic