This is how to set up a SSL certificate on your server and running with it, using DirectAdmin on Debian GNU/Linux.
All of the following tasks are done as root, from the command line:
cd /usr/local/directadmin/conf
create a private key:
openssl genrsa -out cakey.pem 4096
generate a certificate request from that key:
openssl req -key cakey.pem -new
Answer the questions as follows (hit Enter after each answer):
- Country Code: (see: https://www.iso.org/obp/ui/#search)
- State or Province: I put the province I live in
- Locality name: I put the city I live in
- Organization Name: I put a dot (period) which leaves the entry blank
- Organizational Unit: I put a dot
- Common Name: I put the fully qualified name of my server.
- Email Address: I put my email address
- challenge password: I left this blank
- optional company name: I left this blank
This generates a certificate request, and displays it on the screen. Copy and paste it into the Server Certificates – New form.
CACert will then generate a certificate. Copy and paste this to a file on the server /usr/local/directadmin/conf
Save the certificate as a file in that directory called myserver.crt
Next, download the intermediate certificate from CACert: and save it in the same directory (/etc/apache2/ssl). Also, download the CACert Class 1 certificate and save it in the same directory.
Combine the secret key, your server’s certificate, and the intermediate and root certificates into one file:
cat cakey.pem myserver.crt class3.crt root.crt > cacert.pem
Change the permissions so nobody else can read that pem files:
chmod 600 cacert.pem
chmod 600 cakey.pem
Also change the owner of the files:
chown diradmin:diradmin cacert.pem
chown diradmin:diradmin cakey.pem
chown diradmin:diradmin carootcert.pem
Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1 (default is 0). This tells DA to load the certificate and key and to use an SSL connection. Ensure your directadmin.conf has the values set:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
but can be changed as needed.
DirectAdmin needs to be restarted after any changes to the directadmin.conf.
If you also have a CA Root Certificate, this can be specified by adding:
carootcert=/usr/local/directadmin/conf/carootcert.pem
into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.