Archive for the tag 'ssl'

If you have an RSA PRIVATE KEY then you would have a password encrypted key.

This will not work with DirectAdmin since it would require someone to type in a password each time apache restarts.

You do not have to start over, you can convert this password protected key into a normal key by typing:

openssl rsa -in /path/to/your/key -out /the/new/key

where you’d replace the bold values with appropriate values.

This will ask you for the password you specified when you created the original key.
It will then create a non-password-protected key that you can use for DA.

Source: http://directadmin.com/

How to setup DA with an SSL certificate

If you already have your own certificate and key, then paste them into the following files:

certificate: /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1 (default is 0). This tells DA to load the certificate and key and to use an SSL connection. DirectAdmin needs to be restarted after this change.

If you also have a CA Root Certificate, this can be specified by adding:

carootcert=/usr/local/directadmin/conf/carootcert.pem

into the /usr/local/directadmin/conf/directadmin.conf file and by pasting the contents of the caroot cert into that file.

Source: http://directadmin.com/

SSL on the server’s main domain with DirectAdmin

If an Admin wishes to add an SSL certificate on the main server’s domain, they must do it manually. To do this, the Admin must obtain the certificate and key (explained in just a moment). After these have been acquired, the Admin will have to edit /etc/httpd/conf/httpd.conf file and scroll to the very bottom. You should see 2 virtual host directives. With the one that says <VirtualHost :443> you must modify the SSL tags.

Set:

SSLCertificateFile [full path to certificate]
SSLCertificateKeyFile [full path to key]
and if provided with a CA certificate file ADD the following line
SSLCACertificateFile [full path to CA certificate]

You have a few options when it comes to obtaining the key and certificate. First you can create you own self signed certificate. You can do this by typing the following:

openssl req -new -x509 -days 365 -keyout key.temp -out certificate
openssl rsa -in key.temp -out key.real

The second line is to remove the password from the key so that apache won’t hang on bootup waiting for the key password. Those commands will create a self signed certificate (remove the key.temp file after you’re done) but if you want to use an authority to sign your certificate (removes the annoying popup), you’ll need to create a certificate request:

openssl genrsa 1024 > key.real
openssl req -new -key key.real -out certificate.request

and you send the certificate.request file to to certificate authority to be signed. They will send you a signed certificate which you will install using the apache tags noted above (and you can delete the certificate.request file, it’s not needed).

Source and Credit - http://www.directadmin.com

My browser complains about the Webmin certificate when in SSL mode.

This happens because the default SSL certificate that is generated by webmin is not issued by a recognized certificate authority.

From a security point of view, this makes the certificate less secure because an attacker could theoretically redirect traffic from your server to another machine without you knowing, which is normally impossible if using a proper SSL certificate.

Network traffic is still encrypted though, so you are safe against attackers who are just listening in on your network connection.

If you want to be really sure that the Webmin server you are connecting to is really your own, the only solution is to order a certificate from an authority like Verisign that is associated with your server’s hostname and will be recognized web browsers.

This certificate should be placed in the file

/etc/webmin/miniserv.pem

and be in the same certifcate+key format as the existing miniserv.pem file.

To request a certificate, follow these steps :

Run the command

openssl genrsa -out key.pem 1024

This will create the file key.pem which is your private key.

Run the command

openssl req -new -key key.pem -out req.pem

When it asks for the common name, be sure to enter the full hostname of your server as used in the URL, like www.yourserver.com. This will create the file req.pem, which is the certificate signing request (CSR).

Send the CSR to your certificate authority by whatever method they use.

They should send you back a file that starts with —–BEGIN CERTIFICATE—– which can be put in the file cert.pem.

Combine the private key and certificate with the command

cat key.pem cert.pem >/etc/webmin/miniserv.pem

Re-start webmin (making sure it is in SSL mode) to use the new key.

Find if ssl certificate and key are paired correctly.

To view the contents of a certificate:

openssl x509 -noout -text -in filename.crt

To view the contents of a private key:

openssl rsa -noout -text -in filename.key

If the modulus number and exponent of the cert and key match, they are paired correctly. If not, they are mismatched and apache will not start with ssl enabled.

« Prev