The aim of this HowTo is to setup SSL with a self signed certificate on appWeb.
The instructions are mostly copied from EnableHTTPSforApache (which is what I followed), but with slight modifications for appWeb.
It is based on version 2.1.0-1; first step may not apply to future/past versions.
First Step: Check appWeb is working
Use a web browser to navigate to
http://<slug(approve sites) ip>:7777/index.html (presuming you haven't changed default ports)
If that succeeds, change the url to
https://<slug(approve sites) ip>:4443/index.html
The https url should generate some errors (such as certificate being for localhost, certificate expired); ignore these, clicking accept, etc.
Once/if the page loads, check your browser to see if it gets encrypted properly (firefox: look in the address bar, there should be a padlock symbol)
If this step fails, check in /opt/var/appWeb/ if there is a server.crt file and a server.key.pem file. If not, go on to next step, as we will create them. If those files are there, there may be a config problem with appweb.
Step 2: Server Key
The following steps can be performed on the slug, or on a linux computer (much faster).
Create a directory to work in:
$ mkdir sslstuff
$ cd sslstuff
and your server key:
$ openssl genrsa -des3 -out server.key 1024
$ mv server.key server.key.orig
$ openssl rsa -in server.key.orig -out server.key
Now, prepare a certificate signing request (CSR):
$ openssl req -new -key server.key -out server.csr
Important: you will be asked for the CommonName?. Enter your web servers name, i.e. www.example.com.
Step 3: Certificate Authority
Generate the key for the CA:
$ openssl genrsa -des3 -out ca.key 1024
and generate a self signed certificate for it:
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Step 4: Sign Server Key
You should use the script that is shipped with mod_ssl. For your convenience the script can be found at the end of this page.
$ ./sign.sh server.csr
You should be asked both these questions; if not, something has gone wrong:
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]
Answer yes to both, and you should see:
CA verifying: server.crt <-> CA cert
Unless something has gone wrong.
Copy server.crt and server.key to /opt/var/appWeb/ (backup the original server.crt and server.key.pem if you wish or are prone to stuffups)
$ cp server.crt /opt/var/appWeb/
$ cp server.key /opt/var/appWeb/
Now all that remains is a slight modification to /opt/var/appWeb/appWeb.conf
Find this block of text near the end of the file:
# WARNING: we are using the decrypted key here so it won't prompt for the
# password. Replace with server.key for higher security
Replace the SSLCertificateKeyFile? line with this one:
Save the appWeb.conf and restart appWeb:
Step 6: Check it all works
Go back to
https://<slug(approve sites) ip>:4443/index.html (or the common name used, if it's an private network one, e.g 'slug')
This time, you should get an error about the certificate being for <CommonName?>, continue anyway, then it will say the certificate isn't signed by a trusted provider, it's only for private use, so this doesn't matter.
Everything should be working now.
This script has broadly been incorporated in the script above, although the script above does not attempt to varify the signing since it is problematic on the NSLU2.
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.
# argument line handling
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
# make sure environment exists
if [ ! -d ca.db.certs ]; then
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully