Namecheap SSL certificate for Sysadminman VPS

A sysadminman template VPS comes already setup to use SSL (https) for web connections to a2billing and FreePBX. However, this is using a locally signed ssl certificate so you will receive a certificate warning when accessing your VPS. This is no less secure but can create a poor impression depending who will be accessing the site.

It’s relatively straight forward and inexpensive to get yourself a valid, externally signed, certificate.

The sysadminman template uses lighttpd as the web server so you need to follow these instructions –

Log in to your VPS as root:

Next create a folder to store the keys and then create the key. Make sure to replace the server name with the DNS name of your server. This must match the name that people will use to browse to your webserver/website. You will need to enter a password for the key at this point but we will remove it or it will need to be entered every time the webserver starts.

[[email protected] /]# mkdir -p /etc/lighttpd/ssl
[[email protected] /]# cd /etc/lighttpd/ssl
[[email protected] ssl]#
[[email protected] ssl]# openssl genrsa -des3 -out 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for
Verifying - Enter pass phrase for
[[email protected] ssl]#
[[email protected] ssl]# openssl rsa -in -out
Enter pass phrase for
writing RSA key

Next generate the Certificate Signing Request (CSR). Be very careful when entering he hostname. This must match the name of your a2billing/FreePBX website. You can leave the password blank.

[[email protected] ssl]# openssl req -new -key -out
You are about to be asked to enter information that will be incorporated
in to your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:Leics
Locality Name (eg, city) [Newbury]:Leicester
Organization Name (eg, company) [My Company Ltd]:sysadminman
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now print the CSR and copy it

[[email protected] ssl]# cat

Now order your SSL certificate from – Select Apache + OpenSSL and paste the CSR text from earlier.

Complete the order process. You will be required to accept an e-mail to a predefined address. This must be a valid address as you will receive an order confirmation e-mail which you must acknowledge.

You will ultimately receive a zip file containing your certificate. You want the text from the file with your server name ending in .crt.

Create a file on the server called yoursername.crt and paste in the contents of the crt file

[[email protected] ssl]# vi
[[email protected] ssl]# cat

Next combine the key and certificate to create a single .pem file.

[[email protected] ssl]# cat >
[[email protected] ssl]# chmod 600

Now edit the lighttpd config file. Locate the reference to the existing .pem file and change it to your new .pem file

[[email protected] ssl]# cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.backup
[[email protected] ssl]# vi /etc/lighttpd/lighttpd.conf

#### SSL engine
ssl.engine                 = "enable"
ssl.pemfile                = "/etc/lighttpd/ssl/"

Now restart lighttpd and ensure it starts backup correctly

[[email protected] ssl]# service lighttpd restart
Stopping lighttpd:                                         [  OK  ]
Starting lighttpd:                                         [  OK  ]