Skip to content

Apache and SSL Setup

Ok this post documents how to setup Apache with SSL and either be your own singing authority or use one like Thawte

I assume that you already have apache installed.

  1. Create a Key Pair

    Create your site RSA private Key and CSR (Certificate Signing Request)

    [root@server ~]# openssl genrsa -des3 -out domain.tld.key 1024

    You will be asked to enter a pass phrase for the key, remember this as you will need it later.
    A key size of 1024 is used because it is stronger than 512. Anything over 1024 can cause problems with some browsers.

    This where you have to choose to either sign the certificate yourself or get it signed by a CA (Certification Authority)

    This next steps document how to get a certificate signed by a CA such as Thawte. If you want to sign it yourself jump to step 4.

  2. Create a CSR

    Create a CSR (Certificate Signing Request)

    [root@server ~]# openssl req -new -key domain.tld.key -out domain.tld.csr

  3. Sign the CSR (Signed by Signing Authority)

    You now have to send the generated CSR (Certificate Signing Request) to a CA (Certifying Authority) to be signed. Most CA’s will charge for this service. Once the CSR has been sent to them, using which ever method they prefer (Email, online form) they will the process it and send you a certificate back usually with a .crt extension. Once you have the domain.tld.key file and the domain.tld.crt file jump to part 5

  4. Sign the CSR (Signed by Yourself)

    [root@server ~]# openssl req -new -x509 -nodes -sha1 -days 365 -key domain.tld.key -out domain.tld.crt

  5. Configure Apache

    You now have your domain.tld.key (Key) file and your domain.tld.crt (Certificate) file. We will now need to configure Apache to use these.

  6. Install MOD_SSL

    Install mod_ssl via the yum repos.

    [root@server ~]# yum install mod_ssl

  7. Move the Key and Certificate

    Move the key and certificate. I usually create the directory “/etc/httpd/ssl” and then put my key and certificate in there.

    [root@server ~]# mkdir /etc/httpd/ssl
[root@server ~]# mv domain.tld.key /etc/httpd/ssl/domain.tld.key
[root@server ~]# mv domain.tld.crt /etc/httpd/ssl/domain.tld.crt

  8. Configure Apache (Password needed to restart Apache)

    Configure apache to use the Certificate and Key.

    [root@server ~]# vi /etc/httpd/conf.d/ssl.conf

    Configure the following paths:

    SSLCertificateFile /etc/httpd/ssl/domain.tld.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain.tld.key

  9. Restart Apache

    [root@server ~]# /sbin/service httpd restart

    You will be asked to enter a passphrase to start Apache, this is the password we typed right at the start for the Key. once you have typed the correct passphrase apache will startup using SSL.

  10. Configure Apache (Password NOT needed to restart Apache)

    If you dont want to enter a passphrase to restart apache you have to remove the encryption.

    [root@server ~]# cp domain.tld.key domain.tld.key.org
[root@server ~]# openssl rsa -in domain.tld.key.org -out domain.tld.key
[root@server ~]# chmod 400 domain.tld.key

    This removes the encryption and sets the key to only be readable by root.

  11. Restart Apache

    [root@server ~]# /sbin/service httpd restart

    You shouldnt now be prompted to enter a passphrase and Apache will start.

Post a comment Trackback URI RSS 2.0 feed for these comments This entry (permalink) was posted on Tuesday, August 11, 2009, at 2:27 pm by Tony. Filed in Apache, Linux, SSL, Tutorial.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*