This is a brief tutorial on how to install a RapidSSL certificate to be used with your ISPConfig admin panel, webmail, etc. etc. everything on and after https://www.yourdomain.com:81/*
It's pretty simple, but I'll go into detail for SSL newbie's like me.
I used Enom to purchase the RapidSSL cert for $70 bucks less.
It's actually pretty easy... so I felt like a dummie at first being confused on the different certificate webserver types that could have been correct when purchasing and checking out and all sorts of other small things that weren't documented very well for a person like me buying his 2nd SSL cert.
This includes the new RapidSSL requirements that require at least 2048 when generating the key as well as the newly required "intermediate.crt" they send you with your server.crt, and where to add the path's for the intermediate.crt to ispconfig 2.
It's not rocket science like some of you genious' get into, but I hope it helps some of you guys.
I used ENOM so I could get the $79.95/yr cert for $9.95/yr, but it's pretty much the same if you go directly through RapidSSL.com.
HOW TO INSTALL:
Go to enom and buy the $9.95/yr RapidSSL certificate. (Or rapidssl respectively)
Generate the Certificate in /root/ispconfig/httpd/conf/
or /root/ispconfig/httpd/conf/ssl.crt/server.crt respectively. Shown in the Generate the CSR section below.
The CN, or Common name is important! If Enom or RapidSSL directly will not allow wildcards such as *.yourdomain.com for the $9.95/yr cert
make sure you use:
ON Enom/RapidSSL: Webserver type "Apache2"
Make sure to use the same CN: on enom as you do when generating the certificate CSR with the commands below. So when entering the CN (Common Name) include the "www" in the domain when purchasing it & generating it so it will work when you go to:
and of course everything else like :81/roundcubemail -or- :81/phpmyadmin etc. etc. it will work.. you get the picture...
So all your Co-Domain forwards and stuff are good to go.
Generate the CSR to submit to ENOM/RapidSSL:
openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 1024
RapidSSL requires at least 2048 now and and intermediate certificate so use the following when generating it instead of 1024.
openssl genrsa -des3 -passout pass:yourpassword -out /root/ispconfig/httpd/conf/ssl.key/server.key2 2048
openssl req -new -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.csr/server.csr -days 365
openssl req -x509 -passin pass:yourpassword -passout pass:yourpassword -key /root/ispconfig/httpd/conf/ssl.key/server.key2 -in /root/ispconfig/httpd/conf/ssl.csr/server.csr -out /root/ispconfig/httpd/conf/ssl.crt/server.crt -days 365
openssl rsa -passin pass:yourpassword -in /root/ispconfig/httpd/conf/ssl.key/server.key2 -out /root/ispconfig/httpd/conf/ssl.key/server.key
chmod 600 /root/ispconfig/httpd/conf/ssl.key/server.key
You will get an E-Mail with the new RapidSSL signed certificate.
You'll need to put this new .crt in ISPConfig's server.crt
cp /root/ispconfig/httpd/conf/ssl.crt/server.crt /root/ispconfig/httpd/conf/ssl.crt/server-backup.crt
Now paste the newly issued RapidSSL certificate you got in your email into:
I found out with all new RapidSSL certs you need to use another cert authority thingy they send you named INTERMEDIATE CA
Make a new file in the following location:
Paste the INTERMEDIATE CA info into intermediate.crt which is at the bottom of the same email they give send u to put in the actual server.crt
Now go to the following file:
Open httpd.conf with your favorite text editor and do a find for "SSLCACertificateFile"
You'll find an already commented out example in httpd.conf
To tell ISPConfig to check the intermediate.crt you created in the steps above simply add this line below:
Reboot your server or restart your services and you're done!
Hope this helps someone that was as inexperienced with purchasing new SSL certs as I was!
Oh btw if you're interested you can try this method exactly like I explained it through enom, I believe I still have a few reseller accounts left for $8.50/yr domains and cheap SSL certs...unfortunately $9.95 is as low as the SSL certs get, but at least it's still 70 bucks off. The nice thing was that last year I messed up the first time and they gave me a refund right away so I could resubmit. I think I chose Apache2+mod_ssl or Apache2+OpenSSL instead of just Apache2 when submitting to rapidssl. They seem like a pretty stand up company.
I'm loving all the cool stuff you guys have been posting for ispconfig 2 & 3. I can't wait to get some stuff ready for SVN hopefully sooner than later.