Home / guides   Print version

Setup a SSL apache server

This is a quick tutorial on how to setup an ssl server on Apache.

Why do you need a ssl-http server?
It encrypt all the traffic between your web-server and whoever visits your server.
This is important for passwords and other information you want to keep secret.

It can also helps the verify your site is legit.
It proves that you really are, who you say your are.

How much does it cost you?
Setting up a ssl server is free, getting a certificate, that can cost money.
You can create self-signed certificates, this still encrypts the communication, and is perfect for personal use and even inside an organization. If you are running a public or commercial website, than it is advised to get a certificate from a recognized certification authority (CA). They verify that you are who you say you are.
Visitors see a nice green key-lock in their browser.
There are about 36 certification authorities and many more resellers.

There is small performance hit. The pages need to be encrypted on the server and decrypted on the client PC. This means that a https page takes a little longer too load then a http-page.
But for most sites the benefits outweigh the drawbacks.

Install Open-SSL

You should you use the usual commands for your system
  • Debian/Ubuntu: sudo apt-get install openssl
  • Gentoo: emerge openssl
  • RedHat:/CentOS: yum install openssl

Creating a self signed key

This is straightforward, type the commands and answer the questions and done.
openssl genrsa 2048 > yoursite.com.key
openssl req -new -x509 -nodes -sha1 -key yoursite.com.key > yoursite.com.key
The certificate has an end-date, so you need to renew it regularly.
The default is 365 days, but you can change it with the option -days 365

We put the key and the certificate in safe place:
mv *.crt *.key /etc/conf.d/apache2

Now you can config apache

Creating a key for certificate

Do this part if you need an official ssl certificate.

This command generates a 2048 bit RSA private key and stores it in the file website.com.key.
openssl genrsa -out website.com.key 2048

Then generate the CSR. This will be requested when you sign-up for a SSL certificate.
openssl req -new -key website.com.key -out website.com.csr
You need to enter the password.
This command will prompt for the following X.509 attributes of the certificate:

  • Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
  • State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
  • Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
  • Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
  • Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
  • Common Name: The Common Name is the Host + Domain Name. It looks like "www.website.com"
    "www.website.com" or "secure.website.com", is not the same "website.com" and might receive a warning.
NOTE: Please do not enter an email address, challenge password or an optional company name when generating the CSR.

A public/private key pair has now been created. The private key (website.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (website.com.csr), will be for certificate enrollment.

You can test your CSR at https://www.sslshopper.com/csr-decoder.html
or use the command line: openssl req -in website.com.csr -noout -text

Make sure you have a backup of your private key (website.com.key), and store it in a safe place.
You might want to start with removing the world readable.
chmod og-r website.com.key

Configuring apache to use SSL

The files server.cert and intermediate.crt are send to you by your SSL Certificate provider.

you can set it up as a virtual website on port 443.


NameVirtualHost *:443

<VirtualHost *:443>

    DocumentRoot "/local/www/ssl_html"

    SSLEngine on
    SSLOptions +StrictRequire

    <Directory />
        SSLRequireSSL
    </Directory>

    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateKeyFile /etc/apache2/ssl/website.com.key
    SSLCertificateFile /etc/apache2/ssl/server.cert
    SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

    SSLVerifyClient none
    SSLProxyEngine off

    SetEnvIf User-Agent ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
</VirtualHost>
Some explanation:
  • SSLEngine must be enabled so that the server uses SSL.
  • DocumentRoot sets the root directory for this virtual host. This means that you can separate secure content entirely from regular content.
  • SSLRequireSSL requires SSL to be used (on this virtual host): i.e., a user can't connect to this host using a regular HTTP request. This is why we separate out the secure and regular root directory.
  • SSLProtocol disables all protocols other than TLS v1.0 and SSL v3.0. This will be OK for most web browsers.
  • SSLCipherSuite is set to use only HIGH and MEDIUM security cipher suites. SHA1 is considered to be more secure than MD5 so is preferred.
  • SSLCertificateKeyFile, SSLCertificateFile and SSLCertificateChainFile should be set to the locations where you put your certificate and key files.
    Both SSLCertificateFile and SSLCertificateChainFile are provided by your registrar.
  • SSLVerifyClient should be set to none if not using client authentication.
Test the config with apachectl configtest,
before you restart the apache server. /etc/init.d/apache2 restart

Send HTTP traffic to HTTPS

You can automatically send all you unsecure http-traffic to you new secure site,
by adapting the apache config file:


<VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/
</VirtualHost>
or just a part of it (the secure directory)

<VirtualHost *:80>
   ServerName mysite.example.com
   DocumentRoot /usr/local/apache2/htdocs
   Redirect permanent /secure https://mysite.example.com/secure
</VirtualHost>

 

TOP