• Simple Setup of SSL on Apache with mod_ssl and OpenSSL

    This is a very simple way of setting up Apache with SSL from a trusted Certificate Authority(CA), just follow these steps and you will have it running in no time. I am assuming you have all the prerequisites installed, Apache with mod_ssl enabled and OpenSSL. I add the following to the server configuration (either httpd.conf or apache2.conf) so it knows to listen on port 443, you can do this in the virtual host file if you wish:

    <IfModule mod_ssl.c>
    NameVirtualHost *:443

    The next thing you will want to do is create an RSA key for your server. There are 2 ways to do this you can do it so that Apache will require a password at startup/restart, or you can do it without this added encryption. If you choose not to use encryption, you should make sure you protect this key as much as possible! Rename domainname with your actual domain name you want to secure.

    Switch to a folder where you wish to generate and store your files. I usually create or use a folder in the /etc/apache2/ directory.

    Generate a key with a password:

        openssl genrsa -des3 -out domainname.key 1024

    Generate a key WITHOUT a password:

    openssl genrsa -out domainname.key 1024

    Now you will need to generate a CSR that you will give to the CA in order to create your certificate. This is done by running the following (you will be prompted for your password if you generated one on the key):

    openssl req -new -key domainname.key -out domainname.csr

    When generating a CSR the most important item is the Common Name. This is the name of the URL that you want to secure. Note that the SSL ONLY apples to the common name, so www.domain.com and domain.com are NOT the same. Everything else is self explanatory, but when it comes to Extra attributes, ignore these!

    If you want to verify the CSR, run the following:

    openssl req -noout -text -in domainname.csr 

    You can now submit this to the CA, make sure you do not copy any extra characters, especially extra spaces!

    We are going to assume that all went well and you now have the code sent back from your CA. To install it is very simple.

    Create a file named domainname.crt in your SSL folder and paste in the code from your CA.

    Now modify the virtual host of the site you want to serve under SSL. First change port 80 to port 443 on the VirtualHost.

    Now add the following into the virtualhost:

    SSLEngine On
    SSLCertificateFile /path/to/ssl/domainname.crt
    SSLCertificateKeyFile /path/to/ssl/domainname.key

    Restart Apache and you are all set.

    One thing I like to do is create 2 versions of the site and redirect all non SSL requests for secure.domainname.come to the SSL site. You can do this very easily with a simple Apache redirect and it is good for coders who do not redirect their code properly.

    ServerName secure.domainname.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://secure.domainname.com$1 [R=301,L]


    Leave a reply