Configuring Apache HTTP Server 2.2.

3 for Secure Socket Layer [openssl]

200 9

Configuring Apache HTTP Server for Secure Socket Layer [SSL]
@ The steps involved to configure SSL support in Apache are listed here: 1. Install OpenSSL on your server, if it is not already installed. Most Linux systems should have OpenSSL installed. 2. Check whether your Apache installation has mod_ssl support. If not, you would need to build Apache from source with the mod_ssl support. 3. Get or generate an SSL certificate, and install it in Apache. 4. Make configuration changes in Apache for mod_ssl. 5. Test the SSL-enabled Apache-Tomcat setup. @ Initial step . Install the Apache HTTP Server 2.2.3 that having openssl . To test whether openssl installed properly in the system, go to the <APACHE_HOME>/bin dir, then type the following command <APACHE_HOME>/bin>openssl version . It gives the output similar to the following one, . If OpenSSL is installed, you should see a report of the version number, similar to the following. OpenSSL 0.9.8e 28 Feb 2007 @ Generating a Test Certificate with OpenSSL Following are the main steps involved: 1. Create a configuration file for generating the certificate.
1

Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer [openssl]

200 9

2. Create a certificate signing request; this is what you submit to a CA if you are buying a certificate. 3. Purchase a certificate from a CA or create a self signed certificate. 4. Remove the passphrase from the private key. 5. Install the key and certificate to the server.

1. Configuration File for Generating a Certificate Create a working directory called “certworks”. You can generate all the required requests, keys, configuration, and certificates here. A configuration file is required for generating the server certificate. A sample configuration file is presented in the following listing. Save the following contents in a file named "myconfig.file" in the certworks directory. RANDFILE = ./random.txt [req] default_bits = 1024 default_keyfile = keyfile.pem attributes = req_attributes distinguished_name = MCA prompt = no output_password = mypassword [MCA] C = IN ST = AP L = HYD O = MCA OU = MCA 1 CN = 127.0.0.1 emailAddress = mail@myserver.com
2

Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer [openssl]

200 9

[req_attributes] challengePassword = mypassword . If you are testing on your own local LAN, you should change the CN (Common Name) entry to the fully qualified hostname or IP of your host. In the example above, the CN is set to 127.0.0.1. . If you are actually setting this up for a registered fully qualified domain name, this entry must match exactly the domain that you are requesting the certificate for. If your users are not using this exact name to access your site; they get a security warning from the browser. . The key generator needs a file containing a random number to add entropy to the algorithm. Create a file called random.txt and put a large random number in it.

2. Create a Certificate Signing Request The command for creating a certificate signing request is as follows: openssl req -new -out server.csr -config myconfig.file If you use the configuration from the myconfig.file, this step creates a certificate signing request (server.csr) and a private key (keyfile.pem). The following is a sample output from this command: Generating a 1024 bit RSA private key
3

Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer [openssl]

200 9

..............++++++ .................++++++ writing new private key to ‘keyfile.pem’ ----3. Remove the Passphrase from the Private Key openssl rsa -in keyfile.pem -out server.key 4. Create a Self-Signed Certificate openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 The following is a sample output from this step: Signature ok subject=/C=IN/ST=AP/L=NSP/O=MCA/OU=MCA1 Press/CN=127.0.0.1/emailAddress=naidu_jakkampu di@yahoo.com Getting Private key The self-signed certificate is generated in the "server.crt" file 5. Install the Certificate Copy the private server key file (server.key) and server certificate file(server.crt) to the <APACHE_HOME>/conf directory. Make sure that the server.key and server.crt can be read by the user running the Apache Web server. 6. Setting up mod_ssl in Apache The default SSL configuration file can be found in the <APACHE_HOME>/conf/extra directory and is called httpd-ssl.conf . This file would then need to be included from httpd.conf. Edit this file following the extensive comments if you
4

Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer [openssl]

200 9

need to customize the configuration. Some directives you might need to tweak include the following: ❏ SSLCertificateKeyFile : Path to the server private key file (i.e., the server.key file) ❏ SSLCertificateFile : Path to the server certificate file (i.e. , the server.crt file) ❏ VirtualHost : The SSL virtual host context. If you are setting up virtual hosts, or even redirecting to a Tomcat worker, this is the place where you should make your configuration changes. The DocumentRoot in the default VirtualHost points to Apache’s DocumentRoot — is also changed according to the value of "DocumentRoot" inside the "conf/httpd.conf" file, in addition to that you must also enter the value for ServerAdmin - the email address of the administrator. 7. Finally, you need to make a few edits in the <APACHE_HOME>/conf/httpd.conf so that Apache can use the mod_ssl extension. First, uncomment or add this line (if not already existing) to load the mod_ssl library: LoadModule ssl_module modules/mod_ssl.so Then, find and uncomment the following line, to include the mod_ssl configuration file: Include conf/extra/httpd-ssl.conf
5

Configuring Apache HTTP Server 2.2.3 for Secure Socket Layer [openssl]

200 9

8. Testing the SSL installation in Apache, . By typing the following URI you might get some alert message from the browser. All these are because it’s a selfsigned certificate for test purpose. . By accepting those alerts and exceptions then your default index file could be loads. https://localhost

6