This is an old revision of the document!
ssl for Apache
The steps below were done using Apache 2.0.63.
setup
- setup Apache2 as usual (make sure to get the version with SSL support)
- in httpd.conf, comment out Port 80, and use Listen lines instead
#Port 80 Listen 80 Listen 443
- make certs and keys (repeat for other name based virtual hosts)
- example on Windows 7, using a cygwin terminal, creating a wildcard certificate
- (this is making the request) the wildcard part is the asterisk when asked for the CN; enter something like 1234 for the password
openssl req -config /usr/ssl/openssl.cnf -new -out myname.local.csr Generating a 1024 bit RSA private key .......++++++ ..............++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:AZ Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:MYCOMPANY Organizational Unit Name (eg, section) []:IS Common Name (eg, YOUR name) []:*.myname.local Email Address []:myname@mycompany.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- (this is making your private key) enter password as you created it above
openssl rsa -in privkey.pem -out myname.local.key Enter pass phrase for privkey.pem: writing RSA key
- (this is creating the self signed certificate)
openssl x509 -in myname.local.csr -out myname.local.cert -req -signkey myname.local.key -days 10000 Signature ok subject=/C=US/ST=AZ/O=MYCOMPANY/OU=IS/CN=*.myname.local/emailAddress=myname@mycompany.com Getting Private key
- copy files to your apache server
cp myname.local.cert /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/ cp myname.local.key /cygdrive/c/Program\ Files\ \(x86\)/Apache\ Software\ Foundation/Apache2.2/conf/ssl/
- if the above example works for you, don't bother trying the steps below from a windows command prompt
- the Apache2 SSL archive comes with an openssl binary in Apache2/bin, and the configuration file 'openssl.cnf' is in Apache2/conf
- open a command terminal and go to Apache2/bin
- substitute your domain in place of my-server
openssl req -config ../conf/openssl.cnf -new -out my-server.csr openssl rsa -in privkey.pem -out my-server.key openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 10000
- copy the .cert and .key file from the previous step to a new directory of Apache2/conf/ssl
- in httpd.conf, add ssl support by uncommenting this line:
LoadModule ssl_module modules/mod_ssl.so
- in httpd.conf, set up named based virtual hosts:
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot "/path/to/my-server" ServerName my-server </VirtualHost>
- tweak ssl.conf to have the following (probably best to remove the _default_ virtual host entry)
# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel info # You can later change "info" to "warn" if everything is OK <VirtualHost *:443> DocumentRoot "/path/to/my-server" ServerName my-server SSLEngine On SSLCertificateFile conf/ssl/my-server.cert SSLCertificateKeyFile conf/ssl/my-server.key </VirtualHost>
- Don't forget to call apache with -D SSL if the IfDefine directive is active in the config file! On Unix, it would look like this:
apachectl -D SSL -k start