Setup Apache Web Server with SSL


A good explanation in german is given at Server SSL-Zertifikate Erstellen.

See also: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28

Prepare the environment

Prepare a directory where all the files used in the certificate creation process will be put:

[root@host] ~ # mkdir /root/cert
[root@host] ~ # cd /root/cert

Create a Certificate Authority (CA)

If you don't want to spend a lot of money to get signed your server certificate by a generally accepted Certification Authority (CA) like Verisign you can create your own and sign your server certificate by this:

Create a with RSA key self-signed CA Certificate (X509 structure):

[root@host] ~/cert # openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650

Backup the cakey.pem file and remember the pass-phrase you entered for it at a secure location.

Create a Server Key and the Certificate Signing Request (CSR) from it

Create a 2048 bit RSA private key (will be AES 128 encrypted and PEM formatted):

[root@host] ~/cert # openssl genrsa -out serverkey.pem -aes128 2048 -days 365

When asked enter an arbitrary pass-phrase. As the webserver usually needs to load the certificate without user interaction the encryption must be removed again:

[root@host] ~/cert # openssl rsa -in serverkey.pem -out serverkey.pem

Create a Certificate Signing Request (CSR):

[root@host] ~/cert # openssl req -new -key serverkey.pem -out servercsr.pem -nodes

Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here.
Other options may be left empty.

Sign the CSR

As the ``openssl ca'' command needs input from OpenSSL config file you either need to adapt /etc/ssl/openssl.cnf and issue the command:

[root@host] ~/cert # openssl ca -in servercsr.pem.pem -notext -out servercert.pem

The important entries in /etc/ssl/openssl.cnf are in section [ CA_default ]:

dir = .            # Where everything is kept
new_certs_dir = $dir          # default place for new certs
private_key = $dir/cakey.pem  # The private key
RANDFILE = $dir/.rand         # private random number file
default_days = 3650           # how long to certify for

Another way to do the signing is the use of the (adapted) sign.sh script from the mod_ssl project. This creates a an OpenSSL config file on the fly and uses this for the openssl ca command (adapt the script for your needs first):

[root@host] ~/cert # ./sign.sh servercsr.pem

Now you should have a signed server certificate in the servercert.pem file.

Configure Apache to use SSL

(This needs rework because a lot of things with apache in SuSE have changed.)

With SuSE you simply may set the variable HTTPD_SEC_MOD_SSL to "yes" in /etc/sysconfig/apache2 and run

[root@host] ~ # SuSEconfig --module apache
[root@host] ~ # rcapache restart

To automatically start apache on system start up, the private key should be available unencrypted. Take care that the unencrypted private key file is only readable by root.

The following is valid for at least Apache2 on opensuse 11.0, 10.3

Apache2 in opensuse 10.3, 11.0 does not use mod_ssl anymore (but Apache_SSL?).
The relevant variables in /etc/sysconfig/apache2 are:
APACHE_SERVER_FLAGS="SSL"
Of course the SSL-module must be in the list of modules to load:
APACHE_MODULES="ssl"

No need to run SuSEconfig anymore, all work is done in the apache2 start script /etc/init.d/apache2 .

Install the certificate files into Apache configuration

  • Move away /etc/apache2/ssl.*:
    [root@host] ~ # md /etc/apache2/ssl.orig
    [root@host] ~ # mv /etc/apache2/ssl.* /etc/apache2/ssl.orig
  • Create the directory for the certificates for apache:
    [root@host] ~ # md /etc/apache2/ssl
  • Move the created serverkey.pem file to /etc/apache2/ssl
  • Move the created servercert.pem file to /etc/apache2/ssl
  • add the cacert.pem file to /etc/apache2/ssl

Setup the virtual host for your secure content:

  • Create document roots:
    • /srv/www/htdocs for unencrypted content on port 80 (usually already there ).
    • /srv/www/https for secured content on port 443.
  • Create in /etc/apache2/vhost.d:
    • http_default.conf
      <VirtualHost _default_:80>
          DocumentRoot "/srv/www/htdocs"
          ServerName www.foo.dom
          <Directory "/srv/www/htdocs">
              Options None
              AllowOverride None
              Order allow,deny
              Allow from all
          </Directory>
      </VirtualHost>
      

      and so on (use /etc/apache2/vhost.d/vhost.template as a template).

    • https_default.conf
      <VirtualHost _default_:443>
          DocumentRoot "/srv/www/https"
          ServerName www.foo.dom:443
          SSLEngine on
          SSLCertificateFile /etc/apache2/ssl/foo.dom_servercert.pem
          SSLCertificateKeyFile /etc/apache2/ssl/foo.dom_serverkey.pem
          SSLCACertificateFile /etc/apache2/ssl/cacert.pem
          <Directory "/srv/www/https">
              Options None
              AllowOverride None
              Order allow,deny
              Allow from all
          </Directory>
      </VirtualHost>
      

      and so on (use /etc/apache2/vhost.d/vhost-ssl.template as a template).

  • Change /etc/apache2/default-server.conf appropriately.
  • Issue command:
    [root@host] ~ # rcapache2 reload
line
linux logo Powered by Apache
line
This site maintained by:
lukas.zimmermann@unibas.ch
My public PGP key
last updated: 2008-09-29 Valid CSS! Valid XHTML 1.0 Strict