docs:apache_web_server:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
docs:apache_web_server:ssl [2008/03/06 16:34] – created billhdocs:apache_web_server:ssl [2010/12/09 09:25] (current) billh
Line 1: Line 1:
 ====== ssl for Apache ====== ====== ssl for Apache ======
-The steps below were done using Apache 2.0.63. 
  
-===== setup =====+===== setup (apache 2.2.x) ===== 
 +See the setup section below, but understand that newer apache's break out the virtual host and ssl settings into conf/extras/httpd-* files.  You may also be running apache as a service in windows, so the startup commands do not apply.  To run ssl for multiple domains using name based virtual hosts, understand that they will all use the same certificate, which is why we make a wildcard certificate in the example.  Apache will log a warning about this:<code> 
 +[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) 
 +</code> 
 + 
 +To avoid seeing the warning, you can change the LogLevel parameter in httpd.conf to somethiing other than "warn"
 + 
 +===== setup (apache 2.0.63) =====
   - setup Apache2 as usual (make sure to get the version with SSL support)   - setup Apache2 as usual (make sure to get the version with SSL support)
   - in httpd.conf, comment out Port 80, and use Listen lines instead<code>   - in httpd.conf, comment out Port 80, and use Listen lines instead<code>
Line 8: Line 14:
 Listen 80 Listen 80
 Listen 443</code> Listen 443</code>
-  - make certs and keys (repeat for other name based virtual hosts) +  - make certs and keys (see appropriate sections below)
-    - the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf +
-    - open a command terminal and go to Apache2/bin +
-    - substitute your domain in place of my-server<code> +
-openssl req -config ../conf/openssl.cnf -new -out my-server.csr +
-openssl rsa -in privkey.pem -out my-server.key +
-openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000 +
-</code> +
-    - copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl+
   - in httpd.conf, add ssl support by uncommenting this line:<code>   - in httpd.conf, add ssl support by uncommenting this line:<code>
 LoadModule ssl_module modules/mod_ssl.so LoadModule ssl_module modules/mod_ssl.so
Line 50: Line 48:
 apachectl -D SSL -k start apachectl -D SSL -k start
 </code> </code>
 +
 +===== make ssl key and certificate (cygwin method) =====
 +This example is on Windows 7, using a cygwin terminal, creating a wildcard certificate
 +  - (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password<code>
 +openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr
 +
 +Generating a 1024 bit RSA private key
 +.......++++++
 +..............++++++
 +writing new private key to 'privkey.pem'
 +Enter PEM pass phrase:
 +Verifying - Enter PEM pass phrase:
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:US
 +State or Province Name (full name) [Some-State]:AZ
 +Locality Name (eg, city) []:
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYCOMPANY
 +Organizational Unit Name (eg, section) []:IS
 +Common Name (eg, YOUR name) []:*.myname.local
 +Email Address []:myname@mycompany.com
 +
 +Please enter the following 'extra' attributes
 +to be sent with your certificate request
 +A challenge password []:
 +An optional company name []:
 +</code>
 +  - (this is making your private key) enter password as you created it above<code>
 +openssl rsa -in privkey.pem -out myname.local.key
 +
 +Enter pass phrase for privkey.pem:
 +writing RSA key
 +</code>
 +  - (this is creating the self signed certificate) <code>
 +openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000
 +
 +Signature ok
 +subject=/C=US/ST=AZ/O=MYCOMPANY/OU=IS/CN=*.myname.local/emailAddress=myname@mycompany.com
 +Getting Private key
 +</code>
 +  - copy files to your apache server<code>
 +cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
 +cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
 +</code>
 +
 +===== make ssl key and certificate (windows command line method) =====
 +  - the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf
 +  - open a command terminal and go to Apache2/bin
 +  - substitute your domain in place of my-server<code>
 +openssl req -config ../conf/openssl.cnf -new -out my-server.csr
 +openssl rsa -in privkey.pem -out my-server.key
 +openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000
 +</code>
 +  - copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl
 +
 +===== See Also =====
 +  * [[docs:programming:php:openssl]]
  
 ===== External Links ===== ===== External Links =====
   * http://tud.at/programm/apache-ssl-win32-howto.php3   * http://tud.at/programm/apache-ssl-win32-howto.php3
  • docs/apache_web_server/ssl.1204846461.txt.gz
  • Last modified: 2008/08/03 00:25
  • (external edit)