Configuring Apache HTTP Server 2.2.

3 for Secure Socket Layer

[openssl]
200
9

Configuring Apache HTTP Server for Secure

Socket Layer [SSL]

@ The steps involved to configure SSL support in Apache are

listed here:

1. Install OpenSSL on your server, if it is not already

installed. Most
Linux systems should have OpenSSL installed.
2. Check whether your Apache installation has mod_ssl
support. If not,
you would need to build Apache from source with the
mod_ssl
support.
3. Get or generate an SSL certificate, and install it in
Apache.
4. Make configuration changes in Apache for mod_ssl.
5. Test the SSL-enabled Apache-Tomcat setup.

@ Initial step

. Install the Apache HTTP Server 2.2.3 that having openssl

. To test whether openssl installed properly in the system, go
to the
<APACHE_HOME>/bin dir,
then type the following command

<APACHE_HOME>/bin>openssl version

. It gives the output similar to the following one,

. If OpenSSL is installed, you should see a report of the
version
number, similar to the following.

OpenSSL 0.9.8e 28 Feb 2007

@ Generating a Test Certificate with OpenSSL

Following are the main steps involved:

1. Create a configuration file for generating the certificate.

1
 Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer
[openssl]
200
9
2. Create a certificate signing request; this is what you
submit to a CA
if you are buying a certificate.
3. Purchase a certificate from a CA or create a self signed
certificate.
4. Remove the passphrase from the private key.
5. Install the key and certificate to the server.

1. Configuration File for Generating a Certificate

Create a working directory called “certworks”. You
can
generate all the required requests, keys,
configuration, and
certificates here.
A configuration file is required for generating the
server
certificate. A sample configuration file is presented
in the
following listing. Save the following contents in a file
named
"myconfig.file" in the certworks directory.

RANDFILE = ./random.txt
[req]
default_bits = 1024
default_keyfile = keyfile.pem
attributes = req_attributes
distinguished_name = MCA
prompt = no
output_password = mypassword
[MCA]
C = IN
ST = AP
L = HYD
O = MCA
OU = MCA 1
CN = 127.0.0.1
emailAddress = mail@myserver.com

2
 Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer
[openssl]
200
9
[req_attributes]
challengePassword = mypassword

. If you are testing on your own local LAN, you should

change the CN
(Common Name) entry to the fully qualified hostname
or IP of your
host. In the example above, the CN is set to 127.0.0.1.
. If you are actually setting this up for a registered fully
qualified
domain name, this entry must match exactly the
domain that you
are requesting the certificate for. If your users are not
using this
exact name to access your site; they get a security
warning from the
browser.
. The key generator needs a file containing a random
number to add
entropy to the algorithm. Create a file called
random.txt and put a
large random number in it.

2. Create a Certificate Signing Request

The command for creating a certificate signing

request is as follows:

openssl req -new -out server.csr -config

myconfig.file

If you use the configuration from the myconfig.file,

this step
creates a certificate signing request (server.csr) and a
private key (keyfile.pem).

The following is a sample output from this command:

Generating a 1024 bit RSA private key

3
 Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer
[openssl]
200
9
..............++++++
.................++++++
writing new private key to ‘keyfile.pem’
-----

3. Remove the Passphrase from the Private Key

openssl rsa -in keyfile.pem -out server.key

4. Create a Self-Signed Certificate

openssl x509 -in server.csr -out server.crt -req

-signkey server.key -days 365

The following is a sample output from this step:

Signature ok
subject=/C=IN/ST=AP/L=NSP/O=MCA/OU=MCA1
Press/CN=127.0.0.1/emailAddress=naidu_jakkampu
di@yahoo.com
Getting Private key
The self-signed certificate is generated in the
"server.crt" file

5. Install the Certificate

Copy the private server key file (server.key) and server
certificate
file(server.crt) to the <APACHE_HOME>/conf
directory. Make
sure that the server.key and server.crt can be
read by the user
running the Apache Web server.

6. Setting up mod_ssl in Apache

The default SSL configuration file can be found in the
<APACHE_HOME>/conf/extra directory and is
called
httpd-ssl.conf . This file would then need to be
included from
httpd.conf. Edit this file following the extensive
comments if you

4
 Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer
[openssl]
200
9
need to customize the configuration.

Some directives you might need to tweak include the

following:

❏ SSLCertificateKeyFile : Path to the server private

key file
(i.e., the server.key file)
❏ SSLCertificateFile : Path to the server certificate
file (i.e. ,
the server.crt file)
❏ VirtualHost : The SSL virtual host context. If you
are setting
up virtual hosts, or even redirecting to a Tomcat
worker,
this is the place where you should make your
configuration changes.
The DocumentRoot in the default VirtualHost
points to
Apache’s DocumentRoot — is also changed
according to the
value of "DocumentRoot" inside the
"conf/httpd.conf" file, in
addition to that you must also enter the value for
ServerAdmin - the email address of the
administrator.

7. Finally, you need to make a few edits in the

<APACHE_HOME>/conf/httpd.conf so that Apache
can use
the mod_ssl extension.
First, uncomment or add this line (if not already
existing) to
load the mod_ssl library:

LoadModule ssl_module
modules/mod_ssl.so
Then, find and uncomment the following line, to
include the
mod_ssl configuration file:
Include conf/extra/httpd-ssl.conf

5
 Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer
[openssl]
200
9

8. Testing the SSL installation in Apache,

. By typing the following URI you might get some
alert message
from the browser. All these are because it’s a self-
signed
certificate for test purpose.
. By accepting those alerts and exceptions then your
default
index file could be loads.
https://localhost