====== ssl for Apache ======
===== setup (apache 2.2.x) =====
See the setup section below, but understand that newer apache's break out the virtual host and ssl settings into conf/extras/httpd-* files. You may also be running apache as a service in windows, so the startup commands do not apply. To run ssl for multiple domains using name based virtual hosts, understand that they will all use the same certificate, which is why we make a wildcard certificate in the example. Apache will log a warning about this:
[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
To avoid seeing the warning, you can change the LogLevel parameter in httpd.conf to somethiing other than "warn".
===== setup (apache 2.0.63) =====
- setup Apache2 as usual (make sure to get the version with SSL support)
- in httpd.conf, comment out Port 80, and use Listen lines instead
#Port 80
Listen 80
Listen 443
- make certs and keys (see appropriate sections below)
- in httpd.conf, add ssl support by uncommenting this line:
LoadModule ssl_module modules/mod_ssl.so
- in httpd.conf, set up named based virtual hosts:
NameVirtualHost *:80
NameVirtualHost *:443
DocumentRoot "/path/to/my-server"
ServerName my-server
- tweak ssl.conf to have the following (probably best to remove the _default_ virtual host entry)
# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK
DocumentRoot "/path/to/my-server"
ServerName my-server
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key
- Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file! On Unix, it would look like this:
apachectl -D SSL -k start
===== make ssl key and certificate (cygwin method) =====
This example is on Windows 7, using a cygwin terminal, creating a wildcard certificate
- (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password
openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr
Generating a 1024 bit RSA private key
.......++++++
..............++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:AZ
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYCOMPANY
Organizational Unit Name (eg, section) []:IS
Common Name (eg, YOUR name) []:*.myname.local
Email Address []:myname@mycompany.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- (this is making your private key) enter password as you created it above
openssl rsa -in privkey.pem -out myname.local.key
Enter pass phrase for privkey.pem:
writing RSA key
- (this is creating the self signed certificate)
openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000
Signature ok
subject=/C=US/ST=AZ/O=MYCOMPANY/OU=IS/CN=*.myname.local/emailAddress=myname@mycompany.com
Getting Private key
- copy files to your apache server
cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
===== make ssl key and certificate (windows command line method) =====
- the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf
- open a command terminal and go to Apache2/bin
- substitute your domain in place of my-server
openssl req -config ../conf/openssl.cnf -new -out my-server.csr
openssl rsa -in privkey.pem -out my-server.key
openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000
- copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl
===== See Also =====
* [[docs:programming:php:openssl]]
===== External Links =====
* http://tud.at/programm/apache-ssl-win32-howto.php3