Hello, please sign in or register
You are here: Home

Setting up HTTPS using SSL on Apache

Setting up SSL guide. Checks

  1. Ensure port 443 is open
  2. Include mod_ssl in Apache
  3. Create an Apache Self-Signed SSL Certificate and Key
  4. Appendix - Locations of files on Fedora

Ensure 443 is open

Edit firewall settings to allow traffic to port 443

vi /etc/sysconfig/iptables

...  
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT  
...  

Include mod_ssl in Apache

Check whether apache has been complied with mod_ssl

httpd -l

Check whether the mod_files have been installed

locate mod_ssl
# ...  /usr/lib/httpd/modules/mod_ssl.so  /usr/include/httpd/mod_ssl.h  

Download the latest version by searching yum

yum search mod_ssl
# and then yum install mod_ssl

If Mod_SSL is not complied into apache it can be included as an additional module. This is often done by an include statement within httpd.conf to load additional functions into Apache. Search http.conf for the line Include conf/*.conf This loads in external configuration files located in /etc/httpd/conf.d/ and suffixed with .conf The config file we want is called ssl.conf, if you cant locate this on your machine you'll need to create it (browse web for this).

Create an Apache Self-Signed SSL Certificate and Key

cd /etc/httpd/conf/    openssl genrsa -des3 -out pass.key 1024
# you'll be prompted to enter a phrase pass key    

openssl rsa -in pass.key -out server.key  

#you'll be prompted tot rewrite phrase pass key    

openssl req -new -key server.key -x509 -out server.crt -days 999  

# You'll be prompted to enter Country Code, County, Locality, Organizations name, Department, Common Name, Email    mkdir ssl.key/  mkdir ssl.crt/  cp server.key ssl.key/  cp server.crt ssl.crt/    

# In the ssl.conf file you will make links to the Cert and Key file created above, it is common for these to be located in another location etc/pki/, and named inaccordance to the domain they supply    

cp  server.crt /etc/pki/tls/certs/domain.crt  

cp  server.key /etc/pki/tls/private/domain.key    

service httpd restart

Alternative. If you do not want to type in a passphrase every time you start your secure server, you will need to use the following two commands instead of make genkey to create the key.

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

chmod go-rwx /etc/httpd/conf/ssl.key/server.key

After you use the above commands to create your key, you will not need to use a passphrase to start your secure server. Alternative 2

# Remove old key & certificate
rm /etc/httpd/conf/ssl.key/server.key  rm /etc/httpd/conf/ssl.crt/server.crt
# Generate new key with an EMPTY PASSPHRASE!
# Use "cd /usr/share/ssl/certs; make genkey"
# instead if you really need a passphrase
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key    

# Set appropriate permissions
chmod go-rwx /etc/httpd/conf/ssl.key/server.key
# Now create the new certificate
cd /usr/share/ssl/certs  make testcert
# And restart Apache
/sbin/service httpd restart

Appendix - Locations of files on Fedora:

The configuration file is located at /etc/httpd/conf.d/ssl.conf and the certificates reside at /etc/pki

  • http://www.rpatrick.com/tech/makecert/
  • http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslengine

Comments

Title*
Comment

Prove you are not a robot

To prove you are not a robot, please type in the six character code you see in the picture below
Security confirmation codeI can't see this!
Contact
Name*
Email never shown*
Home Page

Author

Andrew Dodson
Since:Feb 2007

Comment | flag

Categories

Bookmark and Share