Web server has valid certificate now.

When I installed the mod_ssl module to my AMI Linux server on Amazons EC2 cloud service a default key and crt was generated, but it was for the long Amazon host name that you could never use for a business.  

Now, this is just a learning site for school, so being a poor college kid I didn't want to fork out the cost of eating for a month to get a certificate.  I did a google search for top cheap ssl certificate providers and found this link: http://webdesign.about.com/od/ssl/tp/cheapest-ssl-certificates.htm   

I started at the free end of the list and began working my way up.  Luckily https://www.startssl.com/ was able to help me out and give me a free cert that is good for a year.   The directions here are: sign up, and follow the directions on their site to get a certificate and key and download it to your local directory.  Every certifying authority (CA) is different, you just have to follow their procedure, and if you are paying cash, they will walk you through the steps with live support.

I followed the directions, replied back to several emails they sent me to confirm I was real, and then downloaded the files it told me to download.  The one last step was to convert the ssl.key file to an ssl2.key file with this command:

openssl rsa -in ssl.key -out ssl2.key

You had to enter your password that you gave when you had them create the key and it created the ssl2.key without a password so that you can run it on a web site and not have to retype in the password at the console anytime the server or Apache starts or restarts.

I put everything I got from Startssl.com into a single directory I called webssl.  Then I scp'ed the directory over to my AMI box with this command:

scp -i TestingForClass.pem -r webssl  ec2-user@ec5-64-131-21-85.compute-9.amazonaws.com:~

That is all on one line.  Of course that is not the actual address to my server, you will have to put in your own  instance address to connect to your box. The -r is because I am copying a directory and the  colon tilda on the end is telling the server on the other side to put that directory into my /home/ec2-user/  folder.   And the -i is the same private key you use to connect to the box with ssh. 

The I ssh'ed into the box with:

ssh -i TestingForClass.pem ec2-user@ec5-64-131-21-85.compute-9.amazonaws.com

Time to setup SSL!

I backed up the  ssl.conf file to my home directory with this command:

cp /etc/httpd/conf.d/ssl.conf ~/ssl.conf

This is in case I blow it and need to fall back and punt and just put the original file back in place and think about what I am doing before I try again.  The most important thing about doing anything on a computer is being about to undo it before you get into too much trouble.

sudo vi /etc/httpd/conf.d/ssl.conf

Look for something that looks like:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Comment out this last line and add a new line right below it that says this:

SSLCertificateFile /etc/pki/tls/certs/ServerName.crt

The section should now look like this:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/grokthink.crt

Right below it is another section:

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Comment out this last line and add a new line right below it that says this:

SSLCertificateKeyFile /etc/pki/tls/private/ServerName.key

The section should now look like this:

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/ServerName.key

That is it!  Save and quit that.

Now that the server is configured to use the key, now we have to put the key into the right places:   

sudo cp ~/webssl/ssl2.key /etc/pki/tls/certs/ServerName.key
sudo cp ~/webssl/ssl.crt /etc/pki/tls/private/ServerName.crt

Now we want to make it so that those keys match the security of the other entries in that directory:

sudo chmod 700 /etc/pki/tls/certs/ServerName.key
sudo chmod 700 /etc/pki/tls/private/ServerName.crt

And finally restart the server.

sudo /etc/init.d/httpd restart

At this point I was able to do an https://ServerName/ and got a secure valid connection in both Firefox and Chrome browsers.

And we are done!

The only thing that concerns me is why there were additional files from the cert provider, we only needed the password removed ssl2.key and  the ssl.crt file to make this work.