If you want to have free SSL certificates you might consider going to cacert.org which is a trust based network issuing certificates. Sadly it is not recognized by most browsers as a trusted entity, but hopefully that will change soon. Here are the steps that should get you going:
- Make sure you have the certs directory as per the nsopenssl instructions. Change into this directory.
-
To generate the Keyfiles use this command:
openssl req -nodes -new -keyout keyfile.pem -out server.csr
- Copy the contents of the server.csr into the textarea when creating a new Server Certificate at CACert.org
- Create a new certfile certfile.pem and store the contents of the certicate given you by CACert.org in it.
- Then follow the rest of the installation instructions on how to use nsopenssl.
Once you are done, you might want to install the CACert Root Certificate into all the browsers you are using and recommend it to your clients as well. To achieve this, go (and direct your users) to
http://www.cacert.org/certs/root.crt
Alternatively for testing you can do this as well:
cd /www/yourserver/etc/certs
#Create key
openssl genrsa -out keyfile.pem 1024
#Create certificate request for CA
openssl req -new -key keyfile.pem -out request.pem
#Create Certificate from request (since we don't have a CA ourselfs)
openssl req -x509 -days 365 -key keyfile.pem -in request.pem -out certfile.pem
Your AOLServer configuration must be like this:
ns_param nsopenssl ${bindir}/nsopenssl.so
...
set httpsport 443
set max_file_upload_mb 20
set max_file_upload_min 5
#---------------------------------------------------------------------
# OpenSSL for Aolserver 4
#---------------------------------------------------------------------
# Note: we don't need SSL for the AOLServer as a server but as a client thus we can disable SSL. Malte said there is a # parameter for that. If that is not turned off the AOLServer will register pages that should only be served via SSL and # restrict access to the admin area to SSL as well.
ns_section "ns/server/${server}/module/nsopenssl"
ns_param ServerPort $httpsport
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# Maximum File Size for uploads in bytes
ns_section "ns/server/${server}/module/nsopenssl/sslcontexts"
ns_param users "SSL context used for regular user access"
ns_param client "SSL context used for outgoing script socket connections"
ns_section "ns/server/${server}/module/nsopenssl/defaults"
ns_param server users
ns_param client client
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/users"
ns_param Role server
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param Protocols "ALL"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/sslcontext/client"
ns_param Role client
ns_param ModuleDir ${serverroot}/etc/certs
ns_param CertFile cert.pem
ns_param KeyFile key.pem
ns_param Protocols "ALL"
ns_param CipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param PeerVerify false
ns_param PeerVerifyDepth 3
ns_param Trace false
ns_param SessionCache true
ns_param SessionCacheID 1
ns_param SessionCacheSize 512
ns_param SessionCacheTimeout 300
ns_section "ns/server/${server}/module/nsopenssl/ssldrivers"
ns_param users "Driver for regular user access"
ns_section "ns/server/${server}/module/nsopenssl/ssldriver/users"
ns_param sslcontext users
ns_param port $httpsport
ns_param hostname $hostname
ns_param address $address
ns_param maxinput [expr {$max_file_upload_mb * 1024 * 1024}] ;# in bytes
ns_param recvwait [expr {$max_file_upload_min * 60}] ;# in minutes