This document describes the setup needed to run Apache with SSL encryption. It is based on a Debian woody/sarge installation, but should work with other Linux/Unix systems as well. The approach shown here is using the command line only. You can use graphical tools such as TinyCA if you like that better.
Requirements
Under Debian, the following packages have to be installed via apt-get:
- apache-ssl
- openssl
- libapache-mod-ssl (will automatically be installed by apache-ssl)
The SSL certification process consists of three basic steps:
- If not done already, create a certificate authority (CA), which we will use to sign our own certificate.
- Create a new certificate request
- Sign the request with our CA to obtain a valid certificate.
Create a certificate authority
The OpenSSL package comes with a default openssl.cnf file under /usr/lib/ssl/openssl.cnf. We will edit the default values slightly, ie. we change the default path from demoCA to ourCA. To do so, copy /usr/lib/ssl/openssl.cnf to /etc/ssl/openssl.cnf and change the line
dir = ./demoCA
to
dir = /etc/ssl/ourCA
For security reasons, you will have to create the necessary file and directory structure manually. In particular, you have to create the following folders and files:
- /etc/ssl/ourCA/
- /etc/ssl/ourCA/index.txt (empty file)
- /etc/ssl/ourCA/newcerts/
- /etc/ssl/ourCA/private/
- /etc/ssl/ourCA/serial (file containing "01" as the first and only line)
We can now tell openssl to create a new certification authority for us:
openssl req -new -x509 -keyout /etc/ssl/ourCA/private/cakey.pem \
-out /etc/ssl/ourCA/cacert.pem -config /etc/ssl/openssl.cnf
You will be asked a few questions about the new CA. Just enter information that makes sense and is valid. Also, choose a good passphrase, since you'll have to remember it every time you want to validate and sign a new certificate request.
Issue a certificate request
We are now ready for the interesting part of this tutorial. To create a certificate request, execute
openssl req -new -keyout newkey.pem -out newreq.pem -days 365
OpenSSL will again ask you a few questions. Make sure that you enter the hostname of your SSL server as "Common Name". This is very important and things will break if you don't do it.
If everything went fine, this will give you two new files in the directory where you ran this command. The first is our certificate private key and the second file (newreq.pem) is the certificate request for the CA.
There is one obstacle with the private key in the current form: It requires a passphrase to be used. That means, if you want Apache to use this SSL key, you'll have to supply the passphrase at Apache's startup. This is not very handy, for sure. We can however, remove the passphrase by running:
openssl rsa -in newkey.pem -out nopwkey.pem
You will be asked for the private's key passphrase. If things went right, you will have a new private key called nopwkey.pem, which is not passphrase protected anymore.
To let a CA sign a certificate request, they need both, our private key and the certificate request. We can combine both into one file by cat'ing them together:
cat newreq.pem nopwkey.pem > new.pem
Signing the certificate
The last step consists of the actual signing process. Just issue
openssl ca -policy policy_anything -out newcert.pem \
-config /etc/ssl/openssl.cnf -infiles new.pem
in the same directory where your certification request files are stored. You will first be asked for the CA passphrase (now you know why it is important to remember it!) and you can then either sign or reject the certificate.
You should now copy newcert.pem and nopwkey.pem to some convenient place, since Apache will only need those two files to operate in SSL mode.
Apache-SSL configuration
Under Debian, the SSL enabled Apache version has its own configuration file, available under /etc/apache-ssl/httpd.conf. Edit and change or add the following lines:
SLCertificateFile /path/to/newcert.pem //This is our signed certificate SSLCertificateKeyFile /path/to/nopwkey.pem //This is our unencrypted private key.
Start Apache-SSL by executing
/etc/init.d/apache-ssl start
