Configuring Apache SSL

April 10, 2011, by | Start Discussion

Apache is the most common web server used now a days, you would have already configured apache many times but what about configuring it with SSL i.e. using apache to service on the https protocol, i assume you have already configured basic apache server and have also enabled the SSL module, if not please refer to my previous post on Configuring Apache Web server.

The following post is an extremely simplified step by step guide to configure SSL in apache using Self Signed Certificates you can also use a real certificate issued by a CA if you have it.

Prerequisites
1) Apache with SSL module enabled
2) openssl installed

Step 1) Generate a Private Key
We will use the openssl toolkit for generating a RSA Private Key and Certificate Signing Request, as the first step.

The command below will create a 1024bit key using 3des

abhishek@kashipur.in:~$ opensslgenrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………………….++++++
……………………..++++++
unable to write ‘randomstate’
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

Step 2) Generate a CSR (Certificate Signing Request)
Once the key is generated you will need to make a CSR or Certificate Signing Request, using the following command you can generate a CSR in this process you would be asked to enter various parameters as shown below.

abhishek@kashipur.in:~$ opensslreq -new -key server.key -out server.csr

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Kashipur
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kashipur Networks
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:kashipur.net
Email Address []:abhishek at kashipur dot net
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3) Remove Pass phrase from Key
This is an optional step if you skip this you will have to go to the server as and when the server restarts to enter the pass phase 🙂 , use the following commands to get rid of this problem.

abhishek@kashipur.in:~$ cpserver.key server.key.org
abhishek@kashipur.in:~$ opensslrsa -in server.key.org -out server.key

Enter pass phrase for server.key.org:
writing RSA key

Step 4) Generating a Self-Signed Certificate
Once you have your Key and CSR ready its time to generate the Certificate use the following command to generate a certificate.

abhishek@kashipur.in:~$ openssl x509 -req -days 365 -in server.csr -signkeyserver.key -out server.crt
Signature ok
subject=/C=IN/ST=UK/L=Kashipur/O=Kashipur Networks/CN=kashipur.net/emailAddress=abhishek at kashipur dot net
Getting Private key

Step 5) Copy Certificate and Key to Apache Folder
After following the steps listed above you would have the following files generated.

abhishek@kashipur.in:~$ ls -l
-rw-r–r– 1 abhishekabhishek 952 2009-06-12 14:30 server.crt
-rw-r–r– 1 abhishekabhishek 704 2009-06-12 14:27 server.csr
-rw-r–r– 1 abhishekabhishek 887 2009-06-12 14:29 server.key
-rw-r–r– 1 abhishekabhishek 963 2009-06-12 14:28 server.key.org

Copy the crt and key file to a preferable location inside the apache configuration folder generally /etc/apache2/cert using the following command.

abhishek@kashipur.in:~$ cp server.crt server.key /etc/apache2/cert

Step 6) Configure Apache with SSL
Once you have your Certificate and Key copied, modify your httpd.conf to reflect the following.

SSLEngine on
SSLCertificateFile /etc/apache2/cert/server.crt
SSLCertificateKeyFile /etc/apache2/cert/server.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalivessl-unclean-shutdown
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

Ensure apache is listening to Port 443 if not add the Listen Directive. After making these changes it is preferable to verify the configuration file using the following command.

abhishek@kashipur.in:~$ apache2ctl configtest
Syntax OK

Once you see Syntax OK you are ready to use https.

Step 7) Restart Apache and test
To apply the changed configuration you need to restart apache which can be done using the following command.

root@kashipur.in:~# service apache2 restart
or
root@kashipur.in:~# service httpd restart (in many cases)

Once you restart test it by appending https:// to the URL
Happy HTTPS 🙂

Abhishek Nagar
abhishek@chmag.in
http://abhishek.nagar.me/

 

Author bio not avialable

Leave a Reply