docs:apache_web_server:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
docs:apache_web_server:ssl [2010/10/01 12:25] billhdocs:apache_web_server:ssl [2010/12/09 09:25] (current) billh
Line 1: Line 1:
 ====== ssl for Apache ====== ====== ssl for Apache ======
-The steps below were done using Apache 2.0.63. 
  
-===== setup =====+===== setup (apache 2.2.x) ===== 
 +See the setup section below, but understand that newer apache's break out the virtual host and ssl settings into conf/extras/httpd-* files.  You may also be running apache as a service in windows, so the startup commands do not apply.  To run ssl for multiple domains using name based virtual hosts, understand that they will all use the same certificate, which is why we make a wildcard certificate in the example.  Apache will log a warning about this:<code> 
 +[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) 
 +</code> 
 + 
 +To avoid seeing the warning, you can change the LogLevel parameter in httpd.conf to somethiing other than "warn"
 + 
 +===== setup (apache 2.0.63) =====
   - setup Apache2 as usual (make sure to get the version with SSL support)   - setup Apache2 as usual (make sure to get the version with SSL support)
   - in httpd.conf, comment out Port 80, and use Listen lines instead<code>   - in httpd.conf, comment out Port 80, and use Listen lines instead<code>
Line 8: Line 14:
 Listen 80 Listen 80
 Listen 443</code> Listen 443</code>
-  - make certs and keys (repeat for other name based virtual hosts) +  - make certs and keys (see appropriate sections below) 
-    - example on Windows 7, using a cygwin terminal, creating a wildcard certificate +  - in httpd.conf, add ssl support by uncommenting this line:<code> 
-      (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password<code>+LoadModule ssl_module modules/mod_ssl.so 
 +</code> 
 +  - in httpd.conf, set up named based virtual hosts:<code> 
 +NameVirtualHost *:80 
 +NameVirtualHost *:443 
 + 
 +<VirtualHost *:80> 
 +  DocumentRoot "/path/to/my-server" 
 +  ServerName my-server 
 +</VirtualHost> 
 +</code> 
 +  - tweak ssl.conf to have the following (probably best to remove the _default_ virtual host entry)<code> 
 +# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info 
 +SSLMutex sem 
 +SSLRandomSeed startup builtin 
 +SSLSessionCache none 
 + 
 +SSLLog logs/SSL.log 
 +SSLLogLevel info 
 +# You can later change "info" to "warn" if everything is OK 
 + 
 +<VirtualHost *:443> 
 +  DocumentRoot "/path/to/my-server" 
 +  ServerName my-server 
 +  SSLEngine On 
 +  SSLCertificateFile conf/ssl/my-server.cert 
 +  SSLCertificateKeyFile conf/ssl/my-server.key 
 +</VirtualHost> 
 +</code> 
 +  - Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file!  On Unix, it would look like this:<code> 
 +apachectl -D SSL -k start 
 +</code> 
 + 
 +===== make ssl key and certificate (cygwin method) ===== 
 +This example is on Windows 7, using a cygwin terminal, creating a wildcard certificate 
 +  (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password<code>
 openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr
  
Line 40: Line 81:
 An optional company name []: An optional company name []:
 </code> </code>
-      * (this is making your private key) enter password as you created it above<code>+  - (this is making your private key) enter password as you created it above<code>
 openssl rsa -in privkey.pem -out myname.local.key openssl rsa -in privkey.pem -out myname.local.key
  
Line 46: Line 87:
 writing RSA key writing RSA key
 </code> </code>
-      * (this is creating the self signed certificate) <code>+  - (this is creating the self signed certificate) <code>
 openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000 openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000
  
Line 53: Line 94:
 Getting Private key Getting Private key
 </code> </code>
-      * copy files to your apache server<code>+  - copy files to your apache server<code>
 cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/ cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
 cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/ cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
 </code> </code>
-    - if the above example works for you, don't bother trying the steps below from a windows command prompt + 
-    - the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf +===== make ssl key and certificate (windows command line method) ===== 
-    - open a command terminal and go to Apache2/bin +  - the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf 
-    - substitute your domain in place of my-server<code>+  - open a command terminal and go to Apache2/bin 
 +  - substitute your domain in place of my-server<code>
 openssl req -config ../conf/openssl.cnf -new -out my-server.csr openssl req -config ../conf/openssl.cnf -new -out my-server.csr
 openssl rsa -in privkey.pem -out my-server.key openssl rsa -in privkey.pem -out my-server.key
 openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000 openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000
 </code> </code>
-    - copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl +  - copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl
-  - in httpd.conf, add ssl support by uncommenting this line:<code> +
-LoadModule ssl_module modules/mod_ssl.so +
-</code> +
-  - in httpd.conf, set up named based virtual hosts:<code> +
-NameVirtualHost *:80 +
-NameVirtualHost *:443+
  
-<VirtualHost *:80> +===== See Also ===== 
-  DocumentRoot "/path/to/my-server" +  * [[docs:programming:php:openssl]]
-  ServerName my-server +
-</VirtualHost> +
-</code> +
-  - tweak ssl.conf to have the following (probably best to remove the _default_ virtual host entry)<code> +
-# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info +
-SSLMutex sem +
-SSLRandomSeed startup builtin +
-SSLSessionCache none +
- +
-SSLLog logs/SSL.log +
-SSLLogLevel info +
-# You can later change "info" to "warn" if everything is OK +
- +
-<VirtualHost *:443> +
-  DocumentRoot "/path/to/my-server" +
-  ServerName my-server +
-  SSLEngine On +
-  SSLCertificateFile conf/ssl/my-server.cert +
-  SSLCertificateKeyFile conf/ssl/my-server.key +
-</VirtualHost> +
-</code> +
-  - Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file!  On Unix, it would look like this:<code> +
-apachectl -D SSL -k start +
-</code>+
  
 ===== External Links ===== ===== External Links =====
   * http://tud.at/programm/apache-ssl-win32-howto.php3   * http://tud.at/programm/apache-ssl-win32-howto.php3
  • docs/apache_web_server/ssl.1285957530.txt.gz
  • Last modified: 2010/10/01 12:25
  • by billh