Total Pageviews

Thursday, July 26, 2007

Howto configure SSL for Apache2

To enable SSL support in Apache2 the first step is to create a SSL certificate. If you are not among the lucky ones having apache2-ssl-certificate installed you can use the Linux shell script below to create a SSL certificate

#!/bin/bash
SERVER=your.server.com
PRIVATE_KEY=$SERVER.private.key
CERTIFICATE_FILE=$SERVER.crt
VALID_DAYS=365

echo Delete old private key
rm $PRIVATE_KEY
echo Create new private/public-keys without passphrase for server
openssl genrsa -out $PRIVATE_KEY 1024

echo Create selfsigned certificate
rm $CERTIFICATE_FILE
# From man req:
#  -x509
#    this option outputs a self signed certificate instead
#    of a certificate request. This is typically used to
#    generate a test certificate or a self signed root CA.
#    The extensions added to the certificate (if any) are
#    specified in the configuration file.

openssl req -new         -days $VALID_DAYS         -key $PRIVATE_KEY         -x509         -out $CERTIFICATE_FILE

echo private-keyfile is $PRIVATE_KEY
echo server-certificate-file is $CERTIFICATE_FILE

ls -l $PRIVATE_KEY $CERTIFICATE_FILE

The SERVER variable is very important. Please name your fully qualified server name there. After executing the script and answering the questions you've got two files: the certificate file (suffix .crt) and the key file (suffix .key).
Copy those two files into the directory /etc/apache2/ssl.
Now install the Apache2 ssl module: a2enmod ssl
The next step is to create a new virtual host for our https sites. Simply copy the default site to a new site called default-ssl:

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default-ssl


Replace the first two lines in the file with the following lines:

NameVirtualHost :443
:443>
# SSL (START)

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/my.apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.apache.key

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
# SSL (ENDE)


After this edit the file /etc/apache2/ports.conf and add the following line:

Listen 443


The last thing is to enable the site calling a2ensite default-ssl
Finally restart your Apache2: /etc/init.d/apache2 restart