Configuring Apache with SSL

Apache is the most common web server used now a days, you would have already configured apache many times by now but what about configuring it with SSL i.e. using apache to service on the https protocol, i assume you have already configured the basic apache server and have also enabled the SSL module, if not refer to my previous post on Configuring Apache Web server.

The following post is an extremely simplified step by step guide to configure SSL in apache using Self Signed Certificates you can also use a real certificate issued by a CA if you have it

Prerequisites

1) Apache with SSL module enabled
2) openssl installed

Step 1) Generate a Private Key

We will use the openssl toolkit for generating a RSA Private Key and Certificate Signing Request, as the first step generate the key the command below will create a 1024bit key using 3des

[email protected]:~$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......................++++++
..................................++++++
unable to write 'random state'
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Step 2) Generate a CSR (Certificate Signing Request)

Once the key is generated you will need to make a CSR or Certificate Signing Request, using the following command you can generate a CSR in this process you would be asked to enter various parameters as shown below

[email protected]:~$ openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:UK
Locality Name (eg, city) []:Kashipur
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kashipur Networks
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:kashipur.net
Email Address []:abhishek at kashipur dot net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3) Remove Pass phrase from Key

This is completely an optional step if you skip this you will have to run to the server as and when the server restarts to enter the pass phase :) , use the following commands to get rid of this problem

[email protected]:~$ cp server.key server.key.org
[email protected]:~$ openssl rsa -in server.key.org -out server.key

Enter pass phrase for server.key.org:
writing RSA key

Step 4) Generating a Self-Signed Certificate

Once you have your Key and CSR ready its time to generate the Certificate use the following command to generate a certificate

[email protected]:~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok
subject=/C=IN/ST=UK/L=Kashipur/O=Kashipur Networks/CN=kashipur.net/emailAddress=abhishek at kashipur dot net
Getting Private key

Step 5) Copy Certificate and Key to Apache Folder

After following the steps above you would have the following files generated

[email protected]:~$ ls -l

-rw-r--r-- 1 abhishek abhishek 952 2009-06-12 14:30 server.crt
-rw-r--r-- 1 abhishek abhishek 704 2009-06-12 14:27 server.csr
-rw-r--r-- 1 abhishek abhishek 887 2009-06-12 14:29 server.key
-rw-r--r-- 1 abhishek abhishek 963 2009-06-12 14:28 server.key.org

Copy the crt and key file to a preferable location inside the apache configuration folder generally /etc/apache2/cert using the following command

[email protected]:~$ cp server.crt server.key /etc/apache2/cert

Step 6) Configure Apache with SSL

Once you have your Certificate and Key copied, modify your httpd.conf to reflect the following

SSLEngine on
SSLCertificateFile /etc/apache2/cert/server.crt
SSLCertificateKeyFile /etc/apache2/cert/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Ensure apache is listening to Port 443 if not add the Listen Directive. After making these changes preferable verify the configuration file using the following command

[email protected]:~$ apache2ctl configtest
Syntax OK

Once you see Syntax OK you are ready to use https.

Step 7) Restart Apache and test

To apply the configuration changed you need to restart apache which can be done using the following command

[email protected]:~# service apache2 restart

or

[email protected]:~# service httpd restart (in many cases)

Once you restart test it by appending https:// to the URL

Happy HTTPS :)