SSL Certificates

[Ref: OpenBSD FAQ | modssl/sslfaq.html | /var/www/conf/httpd.conf]

SSL Communications assume the server has an authentication certificate which acts as a verification for whom the server publishes itself to be, and provides an envelope for the server's public key with which clients can encrypt communications bound for the server.

Refer our the guide on generating SSL Certificates in OpenBSD.

Generate/copy the key/certificate pair to your host directories (shown below) into the correct

Certificate Location

When first getting into SSL Certificates, use the filenames in the standard configuration files, this will minimise the number of configuration changes you need to make and you can 'customise' once you have a better understanding.

$ grep SSLCertificate /var/www/conf/httpd.conf

File extract: /var/www/conf/httpd.conf

SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

Copy your generated certificates into the above locations and restart Apache with SSL support to verify that our configuration changes/certificates are correct.

e.g.

$ sudo apachectl stop && sudo apachectl startssl

Virtual Hosts

Server CRTs for Virtual sites can be generated using the same above process, except you choose a different name for the CSR and CRT. One nice convention is to use the domain name of the site, for example:

  • Certificate Request: /etc/ssl/private/virtualsite.com.csr and
  • Certificate: /etc/ssl/virtualsite.com.crt

Within the Virtual Host configuration you will then need to specify the appropriate SSL Directive.

NameVirtualHost 192.168.101.49:*
<VirtualHost 192.168.101.49:*>
    ServerAdmin samt@qsc.com
    DocumentRoot /var/www/twig
    ServerName virtualsite.com
    ErrorLog logs/virtualsite.com-error_log
    CustomLog logs/virtualsite.com-access_log common
    SSLEngine on
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile /etc/ssl/virtualsite.com.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>

Certificate Validation

Our guide on generating SSL Certificates in OpenBSD has some validation testing, and external resources can also be used for testing SSL Certificates for websites:

https://www.ssllabs.com/ssltest/index.html has a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet