Apache SSL

This is a quick howto on how to enabled SSL (Secure Sockets Layer) support in apache for Virtual hosts, let’s say that we want to enabled SSL on a virtual host served by apache test.yourdomain.org, normally you access this subdomain on http://test.yourdomain.org on port 80, but we are going now to configure the server to serve this subdomain with SSL support on https://test.yourdomain.org port 443.

RSA Private Key

First step is to generate your RSA private key, it is 1024 key.

openssl genrsa -des3 -out server.key 1024

You will be prompted for a pass-phrase, make sure it is secure and you don’t forget it.

RSA For Apache

In order for apache to use your private RSA key, apache will ask you each time it starts for your key pass-phrase, to avoid this you can have a root only readable copy for your RSA private key.

openssl rsa -in server.key -out server.pem
chmod 0400 server.pem

Certificate Signing Request

Now we need to generate our CSR (Certificate Signing Request), usually this is a request you made to be sent to Certificate Authority so they verify and sign it, in our example we will sign it ourself.

Generate the CSR

openssl req -new -key server.key -out server.csr

You will be asked for several information, one is important in our case is to make sure you enter your sub-domains in

Common Name (eg, YOUR name) []:test.yourdomain.org

Sign the CSR

Now sign the CSR yourself with the following command:

openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt

-days is how many days the certificate will be valid.

Configure Apache

We suppose that you’ve put all the above generated files in /etc/ssl/local/apache (doesn’t matter, you choose).

Edit you apache main configuration file, i’m saying that because it depends on the distribution that you are using

Listen 443

Usually in the same file you have also Listen 80, you can keep it if you are planning to use secure and non secure virtual hosts on the same apache web server.
Now edit the virtual host configuration file for test.yourdomain.org, change the port to 443

.....

If you want to serve your sub-domain in secure and non-secure mode, you can keep the configuration for this sud-domains port 80, just copy them and edit the port to 443, yes you can have both.

Now add the following lines (to you virtual host block 443):

 SSLEngine on
 SSLCertificateFile /etc/ssl/local/apache/server.crt
 SSLCertificateKeyFile /etc/ssl/local/apache/server.pem

Testing

Restart you apache server, then with a browser type test.yourdomain.org

Most likely you will see something like this with firefox:

This is because firefox failed to verify your certificate, because it signed by you and now by a known CA (Certificate Authority).

You can then add security exception (do you understand now why for some sites you get this warning message :-))

Comment (RSS)  |  Trackback

Leave a Reply