SSL Certificates in Debian

ST Hosting Manual

Our manual

SSL Certificates in Debian

SSL certificates in Debian

Today we would like to show you how easily you can make a server much more secure with an SSL certificate.
The reason why you should definitely do this is because otherwise some people can listen to you.
Especially if you are a provider who sells expensive products, it is important to keep the data of your customers privat.
Please note that you only need to copy the certificate you have purchased into the folder & nbsp; / etc / ssl / certs & nbsp; and simply skip the generating step.
Another advantage of buying a certificate from our provider is that most of the self-generated certificates are getting considered as too dangerous by the browsers.

Important instructions about the tutorial

This tutorial is only for Debian.
It does not work on other Linux distributions.
The # implies by default that in most cases, a console-command has to be accomplished with root privileges.
In our tutorial were different placeholders used:

domainname = Your domain i.e.: signaltransmitter.de
yourip = Your IP-address from your server, i.e.: 4.4.4.4

How to create a certificate:

In this step, we will generat the certificate together.
As already mentioned, you need a certificate for the domain first, you just upload it to the / etc / ssl / certs directory and skip this step.

First you have to install the required package openssl with the command:
# apt-get install openssl

Afterwards create the certificate with the following commands:
# cd /etc/ssl/certs
# openssl genrsa -des3 -out domainname-pass.key 2048
# openssl req -new -key domainname-pass.key -out domainname.csr
# openssl rsa -in domainname-pass.key -out domainname.key
# openssl x509 -req -days 365 -in domainname.csr -signkey domainname.key -out domainname.crt
# chmod 444 *.crt # chmod 400 *.key

Finally you have generated the certificate and the new files which are now in the folder / etc / ssl / certs and they have the file names domainname.key and domainname.crt

Integrate in proftpd

In package proftpd we will explain you how to integrate you certiftcate:

First have a look at /etc/proftpd/proftpd.conf and change the following settings:
#
# SSL via TLS
#
< IfModule mod_tls.c >
TLSEngine off # on for use of TLS
TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1
TLSOptions NoCertRequest # either to request the certificate or not
TLSRSACertificateFile /etc/proftpd/ssl.crt # SSL certfile
TLSRSACertificateKeyFile /etc/proftpd/ssl.key # SSL keyfile
TLSVerifyClient off # client verification
<⁄IfModule>

in the following settings:
#
# SSL via TLS
#
< IfModule mod_tls.c >
TLSEngine on # on for use of TLS
TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1
TLSOptions NoCertRequest # either to request the certificate or not
TLSRSACertificateFile /etc/ssl/certs/domainname.crt # SSL certfile
TLSRSACertificateKeyFile /etc/ssl/certs/domainname.key # SSL keyfile
TLSVerifyClient off # client verification
<⁄IfModule>

The last step you have to do is restart the FTP Server and you are finished:
# /etc/init.d/proftpd restart

Integrate in courier

Now let us have a look at the courier-package:

First of all we need two new packages: (courier-imap-ssl and the courier-pop-ssl)
# apt-get install courier-imap-ssl courier-pop-ssl

Secondly you havte to look at these two commands:
# cat /etc/ssl/certs/domainaname.key /etc/ssl/certs/domainaname.crt >> /etc/courier/imapd.pem
# cat /etc/ssl/certs/domainaname.key /etc/ssl/certs/domainaname.crt >> /etc/courier/pop3d.pem

Now you need to insert these files into the configuration of courier:
Simply add the following line to / etc / courier / imapd-ssl:
TLS_CERTFILE=/etc/courier/imapd.pem

and in this file /etc/courier/pop3d-ssl:
TLS_CERTFILE=/etc/courier/pop3d.pem

At last, just restart the courier:
etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop3-ssl restart

Integrate in apache2

Lastly, there is just the integration into apache2 left:
In the file /etc/apache2/sites-enabled/00-default you need to find the matching section of the domain and then you add the following configuration:
< VirtualHost ihreip:443 >
ServerName domainname
DocumentRoot /var/www/

< IfModule mod_ssl.c >
SSLEngine on
SSLCertificateKeyFile /etc/ssl/certs/domainname.key
SSLCertificateFile /etc/ssl/certs/domainname.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
< /IfModule >
< /VirtualHost >

Next, restart the apache2 server.
# /etc/init.d/apache2 restart