Setting up SSL with Apache 2
I’m going to assume you have a working install of Apache 2. I’ve based this off Fedora Core 5, however it should apply to most distros. Lets get started installing the ssl module.
yum install mod_ssl |
Before going any further you’ll want to test it out by browsing to https://yourserver/. You will receive a dialog about the certificate not being from a trusted authority, which brings us to a fork in the road. You can:
- Use the default certificate. However if the https://sitename/ doesn’t match the hostname of the server users will receive another dialog informing them of this. If you want to go this route then you don’t need to read the rest of this page.
- Generate your own certificate. This is better than the first option, but users will still receive a dialog stating the certificate is not from a trusted authority.
- Buy and import the certificate. Yes this is the ideal way, but it involves money. For a business site users will want to know that certificate is from a trusted authority and you should shell out the cash. However for a home site you might want to go with option one or two.
Lets walk through creating your own certificate. If you’ve bought a certificate skip this and goto the next section.
- Create the key and request. You will be asked a few questions. The important part is defining the correct common name which should be something like www.domainname.com.
openssl req -new > new.cert.csr
- Remove the passphrase from the key.
openssl rsa -in privkey.pem -out new.cert.key
- Convert the request into signed cert (command is one line). The -days 365 specified how long the certificate is valid for. Afterwards the specified time will have to generate a new certificate.
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
- Copy the signed cert and key to the correct directories
cp new.cert.key /etc/pki/tls/private/ cp new.cert.cert /etc/pki/tls/certs/
All thats left is to tell the Apache SSL module where the certificate is. Open up the /etc/httpd/conf.d/ssl.conf file. Modify the lines to read
SSLCertificateFile /etc/pki/tls/certs/new.cert.cert SSLCertificateKeyFile /etc/pki/tls/private/new.cert.key |