Setting up SSL certificates with Apache 2
Introduction
SSL certificates are not always easy to understand and implement. Nevertheless, I will try to make it clear. For those who wish to be signed by a free certification authority, I invite you to visit the CACert website.
Installation
Debian
Once again, it’s quite simple here:
|
|
Then you’ll download a small program that will make your life easier:
|
|
Here is the file to download and put in your ssl folder.
Once done, decompress it:
|
|
OpenBSD
For OpenBSD, nothing special to install. Apache is provided as standard with the SSL module.
Configuration
Debian
Let’s go to the decompressed folder:
|
|
If you want to change the number of days for the validity of your certificate, edit the ca_openssl.cnf file and modify line 39:
|
|
Change 365 to what you want (3650 for 10 years for example).
Creating a certification authority
We will now create the certification authority for our local network. First, we initialize our certificate management environment:
|
|
This command creates the necessary folders and files for the proper functioning of our script and asks you the necessary questions for the configuration of your certification authority:
|
|
We then create our certification authority:
|
|
You now have what you need to sign your own certificates.
Creating a server certificate for our local network
Now that you have a certification authority, we will create a certification request in order to obtain a certificate signed by our authority. For example, to create a certificate for our HTTPS server:
|
|
Note: https is used to generate the filename of the request. It is preferable that this value does not contain spaces or special characters.
You must then enter your certificate information:
|
|
Note: As you can see, this tool gives you the possibility to generate certificates valid for several domain names.
At the end of the procedure, the tool displays the created request because you can, if you wish, have this request signed by the CACert site.
If the certificate is intended for your local network, you can use your certification authority to sign it:
|
|
This command displays the information included in the certificate request and asks you if you agree to sign it:
|
|
You now have 2 files that together form your certificate:
|
|
All you have to do now is copy these files and the public key of your certification authority to the appropriate place for your server configuration:
|
|
Integration with Apache
For the Apache part, it’s quite simple, just copy certain files:
|
|
Then put this in a VirtualHost in Apache (make a special SSL VirtualHost):
|
|
OpenBSD
To generate certificates, here’s how to proceed:
|
|
Apache Configuration
Debian
To finish, add this to /etc/apache2/ports.conf
:
|
|
All that remains is to enable the ssl mod for the configuration:
|
|
We can now admire the result by restarting Apache2 :-)
|
|
OpenBSD
Multi-VirtualHost SSL
Like everyone else, one day you tried to have VHosts in SSL, and the Apache people informed you that you can’t. The problem is that you can only have one certificate because information like the Host is inside the request, and is not accessible to the layer that decides which certificate to use and handles the encryption.
There were some ugly tricks to avoid the warning in the browser, like putting a certificate for *.mydomainofdeath.biz but it’s dead if you have several domains on the server.
So here’s the solution that explains that even if the OpenSSL lib doesn’t support the TLS extension that you need (SNI), on the GNU side it has been supported for 2 years. Here’s the long-awaited documentation:
- Documentation on the implementation of multi-SSL with mod_gnutls
- Documentation on enabling multiple HTTPS Sites For one IP using TLS extensions
References
Last updated 24 Sep 2009, 12:28 CEST.