A service of Daily Data, Inc.
Contact Form

Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
software:openssl:internalca:deploy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
software:openssl:internalca:deploy [2025/10/25 03:08] – removed - external edit (Unknown date) 127.0.0.1software:openssl:internalca:deploy [2025/10/25 03:08] (current) – ↷ Page moved from software:openssl:deploy to software:openssl:internalca:deploy rodolico
Line 1: Line 1:
 +====== Deploy Server Certificate ======
 +
 +Once created, the server certificate (.crt) and the key used to create it (.key) need to be deployed to the server which contains the service(s) you want to secure.
 +
 +Each operating system has a default, and even different distributions of the same operating systems may use a different default. However, since we must manually configure each services, we can choose a common location for our certificates if we want. On Unix, I create a directory named /etc/certificates and put all of my local (LAN) certificates in there.
 +
 +===== Which files to copy =====
 +The files that need to be copied are the certificate (.crt) and privte key (.key) files. In some cases, it is useful to combine them into one file, which the .pem format is excellent for (PEM is designed to hold multiple types of information). To create the .pem equivilent, simply cat the key and crt files and send that output to a .pem. You can do it with a text editor, or with the Unix command:
 +<code bash>
 +cat servername.crt servername.key > servername.pem
 +</code>
 +
 +===== Copying the files =====
 +
 +These are simple text files, so I use scp.
 +
 +<code bash>
 +cat servername.crt servername.key > servername.pem
 +ssh target_server 'mkdir -p /etc/certificates'
 +scp servername.crt servername.key servername.pem target_server:/etc/certificates
 +ssh target_server 'chmod 755 /etc/certificates && chmod 644 /etc/certificates/* && chown -fR root:root /etc/certificates'
 +</code>
 +
 +This will ensure /etc/certificates exists (mkdir -p), copy the files to it, and set ownership and permissions.
 +
 +===== Setting Service to use it =====
 +
 +For now, I'm only going to do the Apache server on a Devuan (Debian) Linux server. Everyone and every program does it differently.
 +
 +==== Apache ====
 +
 +We need to edit the default SSL configuration file and enable it. Note that these instructions assume a base Devuan server with no modifications made to the existing configuration files. You will need to adapt if you have already changed things.
 +
 +On Debian based servers, the default Apache2 ssl site configuration is located in /etc/apache2/sites-available/default-ssl.conf. Use your favorite editor to change that.
 +
 +<code bash>
 +cd /etc/apache2/sites-available
 +cp default-ssl.conf default-ssl.conf.bak # make a backup of the conf file
 +edit default-ssl.conf
 +</code>
 +
 +Look for two directives, **SSLCertificateFile** and **SSLCertificateKeyFile**, and edit them to point to /etc/certificates/server.crt and /etc/certificates/server.key. They are on line 32 in my current setup. So, you will see:
 +<code apache>
 +               SSLCertificateFile      /etc/certificates/servername.crt
 +               SSLCertificateKeyFile /etc/certificates/servername.key
 +</code>
 +
 +Obviously, change servername to the actual name used for your keys. Save the file
 +
 +Now, assuming you have not been using SSL before, we need to tell Apache to begin using SSL, and to use default-ssl.conf.
 +
 +<code bash>
 +a2enmod ssl
 +a2ensite default-ssl.conf
 +service apache2 reload
 +</code>
 +
 +If the final command (the service reload) shows no error, you are good. You can now go to one of the workstations that has the CA installed and open the web browser using https. If it produced an error, you will need to fix it, obviously.
 +
 +**Note**: With Apache, it is very simple to force SSL (https) on a connection using mod_rewrite. After you know https is working, you can go back and do the following:
 +<code bash>
 +a2enmod mod_rewrite
 +edit /etc/apache2/sites-available/000-default.conf
 +</code>
 +
 +Now, add the following lines between **<VirtualHost *:80>** and **</VirtualHost>**. Actual location does not matter, but not within other blocks. I tend to put it just before the </VirtualHost> line.
 +
 +<code apache>
 +    RewriteEngine On
 +    RewriteCond %{HTTPS} off
 +    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
 +</code>
 +
 +Reload the apache server
 +<code bash>service apache2 reload</code>
 +and traffic going to the server on http will be redirected to https.
 +
 +===== Future Deployments =====
 +
 +Once you have the services set up on a server, you can run the same commands from //Copying the files//, then afterwards, reload the service(s). Following is a modified set of commands to deploy a new certificate which also reloads the Apache web service, telling it to reread the SSL certs you have just put out there.
 +
 +<code bash>
 +cat servername.crt servername.key > servername.pem
 +ssh target_server 'mkdir -p /etc/certificates'
 +scp servername.crt servername.key servername.pem target_server:/etc/certificates
 +ssh target_server 'chmod 755 /etc/certificates && chmod 644 /etc/certificates/* && chown -fR root:root /etc/certificates'
 +ssh target_server 'service apache2 reload'
 +</code>