Wonderful tutorial, thank you all! It was great for a noob like me, so here's my small contribution:
SSL, installing a signed cert from a CA (e.g. from GoDaddy, which I used, and requires a 2048-bit CSR).
The openssl optware build lacks a full command set, so to generate .key and .csr files directly on your trusty optware box, use this command:
openssl req -config /opt/share/openssl/openssl.cnf -new -newkey rsa:2048 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr Or, if you want to skip the interactive fun:
openssl req -config /opt/share/openssl/openssl.cnf -new -newkey rsa:2048 -nodes -subj '/CN=www.mydomain.com/O=My Company Inc/C=US/ST=Florida/L=Miami' -keyout www.mydomain.com.key -out www.mydomain.com.csr Next, you'll use the .csr file to generate a certificate (.crt) from your CA. In my case, I used GoDaddy, and after selecting to issue a certificate for Apache, a quick cut-and-paste of the www.mydomain.com.csr contents, I received two files:
www.mydomain.com.crt
gd_bundle.crt
With other CAs, you may only receive the www.mydomain.com.crt file, and if so, ignore the lines referencing gd_bundle.crt below. Now, lighttpd wants a single .pem file, so you need to concatenate the key file and the certificate file as follows:
cat www.mydomain.com.key www.mydomain.com.crt > www.mydomain.com.pem You only need to keep the .pem (and second .crt, if you received one), and stuck them in /opt/etc/lighttpd/certs. And, then, of course:
chmod 400 *.pem *.crt Last, but not least, edit /opt/etc/lighttpd/lighttpd.conf as follows. Again, omit the line with gd_bundle.crt if not applicable to your CA.
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/opt/etc/lighttpd/certs/www.mydomain.com.pem" ssl.ca-file = "/opt/etc/lighttpd/certs/gd_bundle.crt" server.name = "www.mydomain.com" } Et voila, you are done!
Incidentally, for a neat little PHP-based file manager, I set up eXtporer and it works like a bomb on my Asus RT-N16: