Apache2 - Configure SSL
By: Jaisen Mathai
<jaisen@jmathai.com>
This document follows docs from GoDaddy.
I'm finished with this step
This document was originally created on 07/05/2007
Abstract:
This document covers generating ssl certificate key using OpenSSL and set up apache2.
This document follows docs from GoDaddy.
Table of Contents:
1. Generate key file
First we need to generate the key file using openssl.
I'm finished with this step
# ssl certificates are domain specific
# if you create an ssl certificate for yourdomain.com it will not work for www.yourdomain.com
# you can purchase and genrate wildcard certificates which this tutorial does not cover
# cd to your root directory and generate the files there
root# cd /root
root# openssl genrsa -des3 -out www.yourdomain.com.key 1024
Enter pass phrase for www.yourdomain.com.key: # this is required but we will remove it later
Verifying - Enter pass phrase for www.yourdomain.com.key: # re-type your passphrase
# we will want to remove the passhrase else apache will need it every time it's started or restarted
root# openssl rsa -in www.yourdomain.com.key -out www.yourdomain.com.key
2. Generate csr file
Now we'll generate our csr file using the key file from above
I'm finished with this step
root# openssl req -new -key www.yourdomain.com.key -out www.yourdomain.com.csr
# You'll be asked a series of questions...answer these carefully
Enter pass phrase for www.yourdomain.com.key: # enter your passphrase from above
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: # this should be www.yourdomain.com or whatever you are using this ssl certificate for
Email Address []:
# these are optional
A challenge password []: # You can leave this blank. If you do not then make sure you write it down
An optional company name []:
# check and make sure the csr was generated
root# less www.yourdomain.com.csr
# your csr should look something like this
-----BEGIN NEW CERTIFICATE REQUEST-----
MI****SAMPLE SAMPLE SAMPLE******BgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9y
DQ*********DO NOT TRY TO USE THIS CSR**********BVbml2ZXJzaXR5IG9
aWExNTAzBgNVBAsTLFVuaXZlcnNpdHkgQ29tcHV0aW5nIGFuZCBOZXR3b3JraW5n
IFNlcnZpY2VzMRYwFAYDVQQDEw13d3ctcy51Z2EuZWR1MIGdMA0GCSqGSIb3DQEB
AQUAA4GLADCBhwKBgQDh3yRPs36ywGwDK3ZS3qaOoNraOFHkSNTsielHUMHxV1/G
N1E43/bifEQJUvSw/nrkOQf3Ync8O/39lelUTJeP6QZkX9Hg1XtuSUov3ExzT53l
vbctCMtmZONOY+ybEHl/mX0RdqXFnivLpXohr7dJ5A1qHfjww/SLW8J/7UXj1QIB
A6AAMA0GCSqGSIb3DQEBBAUAA4GBAIEu35zoGmODCcwwNrTqZk3JQAjyONJxjjtd
uQ+QLQcckO4aghBpcqsgLckW6Pa6mbjeUV1wffn2dtbKsmz7DnK2fwnyaBtxXMvi
CC4o9uvW11i5TjdorfOdRI1lR0FrNAzf+3GQUl1S2a83wagvFjo12yUCukrxBgyU
bXbmNuJpkdsjdkjfkdjfkdfjdkfjdkfjdkfj
-----END NEW CERTIFICATE REQUEST-----
3. Submit csr to issuing company
You will need to submit the contents of your csr file to the company issuing your ssl certificate.
They will then process it and you can then create your certificate.
I'm finished with this step
4. Installing your certificate
# copy your csr and key files to /etc/apache2/ssl and cd to that directory
root# cp www.yourdomain.com.* /etc/apache2/ssl/
root# cd /etc/apache2/ssl
# you can remove the files from /root at your discretion
# create your crt file and copy/paste what your the issuing company provided
root# nano www.yourdomain.com.crt
# paste in the certificate from the issuing company
# it should look something like this
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgIDQA+ZMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE
ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GAawe4tEAxMnR28gRGFkZHkgU
dXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzAe
Fw0wNzA1MDcxNDQ3MDVaFw0wODA1MDcxNDQ3MDVaMFsxGjAYBgNVBAoTEXd3dy5m
b3Rvc3RpY2suY29tMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQx
GjAYBgNVBAMTEXd3dy5mb3Rvc3RpY2suY29tMIGfyit0GCSqGSIb3DQEBAQUAA4G
ADCBiQKBgQDPNty9crTmSwx6v7Uf7iegO1D2IllflQ6Y7pYHfIabbJ46pPeaYf/b
GRFqKK9XpnFAiOQJE+CCDYVeQEjinACCqMB9HNhyniem9OuxriONxJr9/uLmuf6O
gzyOWu7DVcYq4oGIDTRAOI2IiRxa2m2+j0gO7SMVjrqW5MYHz/JF7QIDAQABo4IB
1TCCAdEwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAtjkHQYDVR0lBBYwFAYIKwYBBQ
AwEGCCsGAQUFBwMCMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nb2RhZGR5ZXh0ZW5kZWRpc3N1aW5n
LmNybDBSBgNVHSAESzBJMEcGC2CGSAGG/W0BBxcBMDgwNgYIKwYBBQUHAgEWKmh0
dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jasdf0vcmVwb3NpdG9yeTB/BggrBg
BQcBAQRzMHEwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmdvZGFkZHkuY29tMEoG
CCsGAQUFBzAChj5odHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvZ2RfaW50ZXJtZWRpYXRlLmNydDAdBgNVHQ4EFgQUBo1mD5WYgG5dILRU
9FN1iapA47kwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwKwYDVR0R
BCQwIoIRd3d3LmZvdG9zdGljay5jb22CasasdfZvdG9zdGljay5jb20wDQYJKoZI
AQEFBQADggEBAKu2nk3hwXrMhUbVyG8PzvPriZALJJYEZXdD7nJExtL3tFjX42rn
TOZPJqt3idqbYpV35yj7JZjhGISgRuL/229Yl7+oMdfatUxlfq432QTWElG/ILoY
5ojH+e9iuXZTvgIt9WgH8rxFJpqx6Easas//71dsgenQO9w5QgGJjrVAqWr4Lmcx
TQxGk0YTTsBLvp97rz9lxBtA3E7+yAiV+Cdn7MizRO+FCldtb62arj12kIAIzMyN
h557e6bAK+ozfoz9TkO+ntSHGsKJyUvVunShGGqNkm2y5bGM8fq2JNUpJjBTZbng
zil5HznN9jL+LDBNZxL9bDDsnjCQl5piHtU=
-----END CERTIFICATE-----
# for godaddy certificates you will need to download and install an additional intermediate certificate
# you can get this from their repository
root# wget https://certificates.godaddy.com/repository/gd_intermediate_bundle.crt
# Now you can configure apache
# You will need a new virtual host block and accepts requests on port 443
root# nano /etc/apache2/vhosts.d/www.yourdomain.com.conf
# add a new vhost block with the ssl directives
<Virtualhost *:443>
# start any settings you need
# ...
# stop any settings you need
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/www.yourdomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.yourdomain.com.key
SSLCertificateChainFile /etc/apache2/ssl/gd_intermediate_bundle.crt # this is only needed for GoDaddy certificates
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</Virtualhost>
5. Check configuration and restart apache
Now that you're all finished you will want to test your configuration and restart apache
I'm finished with this step
# test the configuration first!!
root# /etc/init.d/apache2 configtest
# if the configuration is ok then restart apache
root# /etc/init.d/apache2 restart
6. Validate that everything is working
You can validate that everything is working by going to https://www.yourdomain.com/.
If the site seems like it is hanging then check the logs.
If there is nothing in the logs then you might need to increase the entropy.
I'm finished with this step
# something like this should give you enough entropy
root# emerge --sync
This document was originally created on 07/05/2007
Conventions and tips for this howto document:
- Though this howto is Gentoo specific, it will work on most distros
Disclaimer:
This page is not endorsed by gentoo.org or any other cool
cats. Any information provided in this document is to be used
at your own risk.
