Create or Generate an ISPConfig SSL Certificate

How to Create or Generate an ISPConfig SSL Certificate

This article describes how to install, create or generate the ISPConfig SSL Certificate which secures the ISPConfig 3 control panel. There are two ways in which this can be done:

  • Create a new self-signed OpenSSL Certificate on the command line using OpenSSL or
  • Renew the ISPConfig SSL Certificate with the ISPConfig updater

1. Create a new self-signed OpenSSL Certificate on the command line using OpenSSL

  • Change the permissions to secure the file:
    root@jessie:~# chmod 600 /root/ispconfig_sslcert_backup.tar.gz
  • backup the current SSL Certs in case of the need to roll back:
    root@jessie:~# tar pcfz /root/ispconfig_sslcert_backup.tar.gz /usr/local/ispconfig/interface/ssl
  • login to your server on the shell as root user
  • Create a new SSL Certificate Request (csr) , Certificate key and a self-signed Certificate:
    root@jessie:~# cd /usr/local/ispconfig/interface/ssl
    root@jessie:~# openssl genrsa -des3 -out ispserver.key 4096
    root@jessie:~# openssl req -new -key ispserver.key -out ispserver.csr
    root@jessie:~# openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt
    root@jessie:~# openssl rsa -in ispserver.key -out ispserver.key.insecure
    root@jessie:~# mv ispserver.key
    root@jessie:~# mv ispserver.key.insecure ispserver.key
  • Restart Apache to load the new SSL Certificate.
    root@jessie:~# service apache2 restart

2) Renew the ISPConfig SSL Certificate Using the Installer Script

The second way to install a new SSL Certificate is to use the script:

  • download ISPConfig to the /tmp folder, unpack the archive and start the update script:
    root@jessie:~# cd /tmp
    root@jessie:~# wget
    root@jessie:~# tar xvfz ISPConfig-3-stable.tar.gz
    root@jessie:~# cd ispconfig3_install/install
    root@jessie:~# php -q update.php
  • Answer “yes” to the following prompt during the update:
    Create new ISPConfig SSL certificate (yes,no) [no]:

    and the SSL Certificate creation dialog will start.

Optional: Make the ISPConfig certificate available to other applications which may require it:

If you are going to extend the ISPConfig with other plugins which will require the ISPConfig certificate e.g. roundcube then you should also complete the following steps:

  1. Copy the new certificate into the Debian SSL repository:
    root@jessie:~# cp /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/share/ca-certificates/
  2. Update the ca certificate store:
    root@jessie:~# update-ca-certificates
  3. Edit the /etc/php5/apache2/php.ini file, locate the [openssl] section and add the following line:
  4. Restart Apache:
    service apache2 restart