How do I generate an SSL certificate for my server?

In order to use HTTPS with your SourceForge install, you need to have a valid SSL certificate installed for Apache to use.

There are two kinds of certificates: self-signed and CA-signed. Self-signed certs are ones that you generate and authorize yourself, and they cost you nothing (though some browsers/applications will not like them much). A CA-signed certificate is authorized by a Certificate Authority (like Verisign). They can cost hundreds of dollars, but every browser/application recognizes the CA certificate.

In either case, you first have to generate a CSR, or certificate signing request, using the steps below:

  1. Login as root on the SourceForge server
  2. Generate your server's key: openssl genrsa -out servername.key 1024
  3. Generate the csr itself openssl req -new -key servername.key -out servername.csr

    You now have the private server key, and the csr. Whatever you do, do NOT lose the key! The csr and the resulting certificate will be tied to it and will not function if you lose it or try to replace it.

    If you are getting an official CA-signed cert, you must provide them with the servername.csr file and they will reply with the cert.

    If you are doing a self-signed cert, create it this way:openssl req -new -key servername.key -x509 -out servername.crtYou should now have all three pieces needed to make Apache use SSL.

  4. Next, edit /etc/httpd/conf.d/ssl.conf and look at the SSL setting to determine where to place the appropriate files and under what name. Once this is done, restart Apache: * service httpd restart

NOTES: You should replace "servername" above with the real domain name of the server in question, e.g. sourceforge.mycompany.com. You also need to be very precise in answering the questions when generating the CSR. Most CA-signing companies will refuse it if the information is not correct. And finally, when building the CSR, it will ask for the common name. You should reply with the real domain name of the server, e.g. sourceforge.mycompany.com. This value will be built into the cert and, if incorrect, will cause browsers to complain that the cert doesn't match the hostname, meaning your users will have to acknowledge it every time.