While setting up SSL for Apache 2 on Debian lenny for our development server, I got stuck when all the instructions I could find (1, 2) said to use the script apache2-ssl-certificate, which wasn’t installed on the system.

After some more Googling I found Ubuntu bug #77675 in Ubuntu’s apache2 package, which notes that apache2-ssl-certificate is missing. Debian bug #398520 indicates it’s also a problem in Debian. Both bugs indicate that the solution is to use make-ssl-cert instead. So, this is what I originally did.

Yesterday, however, the certificate expired, and I noticed it had only been created to be valid for 30 days. So, I went through the trouble of regoogling everything I just mentioned above in order to refresh my memory about how to create a certificate. This time, however, I read to the bottom of both bug reports. They mention that the default lifetime for make-ssl-cert is only 30 days. Debian bug #293821 mentions the problem, and even seems to include a patch for make-ssl-cert that gives it a -days option. The patch doesn’t seem to have made it into lenny, though.

So, I copied /usr/sbin/make-ssl-cert to /etc/apache2 and modified it myself. All you need to do is add the -days option to the openssl line near the bottom:

94c118
<     openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output -days 1095 > /dev/null 2>&1
—
>     openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output > /dev/null 2>&1

While I was at it, I copied /usr/share/ssl-cert/ssleay.cnf and modified it, too, by removing the required country, state, locality, and organizational unit fields in the certificate, since I didn’t have anything useful to enter for them:

1
2
3
4
5
6

13a14,16
> countryName                     = @CountryName@
> stateOrProvinceName             = @StateName@
> localityName                    = @LocalityName@
14a18
> organizationalUnitName          = @OUName@

ssleay.cnf.diff

4 Kilobytes

I also changed the relevant lines in my new make-ssl-cert:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

12c12
<     templates="organisationname hostname email"
—
>     templates="countryname statename localityname organisationname ouname hostname email"
23a24,35
>      db_get make-ssl-cert/countryname
>      CountryName="$RET"
>      db_fset make-ssl-cert/countryname seen false
> 
>      db_get make-ssl-cert/statename
>      StateName="$RET"
>      db_fset make-ssl-cert/statename seen false
> 
>      db_get make-ssl-cert/localityname
>      LocalityName="$RET"
>      db_fset make-ssl-cert/localityname seen false
> 
27a40,43
>      db_get make-ssl-cert/ouname
>      OUName="$RET"
>      db_fset make-ssl-cert/ouname seen false
> 
37a54,56
>      CountryName="XX"
>      StateName="There is no such thing outside US"
>      LocalityName="Everywhere"
38a58
>      OUName="Office for Complication of Otherwise Simple Affairs"
44c64,68
<     sed -e s#@OrganisationName@#"$OrganisationName"# 
—
>     sed -e s#@CountryName@#"$CountryName"# 
>       -e s#@StateName@#"$StateName"# 
>       -e s#@LocalityName@#"$LocalityName"# 
>       -e s#@OrganisationName@#"$OrganisationName"# 
>       -e s#@OUName@#"$OUName"# 

make-ssl-cert.diff

4 Kilobytes

Then, all you have to do is run the following:

/etc/apache2/make-ssl-cert /etc/apache2/ssleay.cnf /etc/apache2/ssl

This should create the necessary certificate in /etc/apache2/ssl as explained by all the other instructions.

The patched scripts are available in their entirety below. I also posted the diffs above, in case you have different versions of ssleay.cnf and make-ssl-cert and you want to patch them.

ssleay.cnf.diff

4 Kilobytes

make-ssl-cert.diff

4 Kilobytes

Follow Sakuzaku on Twitter. Click here.