Apr 07

How to setup SSL with Apache2

Category: Linux,webserver   — Published by tengo on April 7, 2008 at 12:58 pm

Offering https:// (SSL secured encrypted connections) is a feature most demanding webmasters who care about their customer's privacy will want to offer on any e-Commerce website.

Here is a small how-to about configuring your apache to use SSL and how to install the required certificates. This is known as using a self-signed certificate.
First, install some required modules:

$ apt-get install openssl ssl-cert

Then we will decide to install our SSL certificates into a sub-directory of apache

$ mkdir /etc/apache2/ssl
$ touch /etc/apache2/ssl/apache.pem

Now we have created an empty file. Please note that we use Apache2 here. For Apache 1.3 the dir is different.

Next, we will generate the RSA key and the certificate. The key and the certificate are two small chunks of text. You can decide to write each part into a dedicated file, but here we will put the key and the certificate into the same file.

A simple dialogue will appear. In essence, none of the answers you give are important. Just be sure to enter upon: "Common Name (eg, YOUR name) []:" the domain you are configuring SSL for, i.e. "domain.com" or "www.domain.com"!

$ openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
$ chmod 600 /etc/apache2/ssl/apache.pem

See: "-out" and "-keyout" are set to the same file.

Next you need to reconfigure Apache to use the certificates:

$ nano /etc/apache2/sites-available/default

and enter something like

<VirtualHost *:443>
# SSL for this Port/Server
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

Next, open the port 443 for Apache. Edit:

$ nano /etc/apache2/ports.conf

and add these lines:

Listen 80
Listen 443

to tell Apache2 to listen on these two ports.

Finally be sure that the SSL module is installed for Apache:

$ a2enmod ssl

and restart Apache2

$ /etc/init.d/apache2 force-reload


You can also seperate certificate and key (see this) . In this case you do not use SSLCertificateFile <Directive> but the combination of SSLCertificateChainFile <Directive> and SSLCertificateKeyFile <Directive>. Use as follows:

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile conf/ssl/mynet.cert
SSLCertificateKeyFile conf/ssl/mynet.key
DocumentRoot /usr/local/apache2/sichere_seiten


Using an unsigned, self-generated key /certificate will pop up a warning dialogue each time a user browses over to your secured pages. Although this does not lower security in theory, this alert box is considered unprofessional and annoying by most users. You should think about obtaining a certificated key.

There are multiple certificate authorities out there, one of them is rapidssl.

There is also CAcert.org, a Certificate Authority that issues certificates to the public at large for free. But its support is limited yet and in most cases the box will appear again.

Obtaining a signed commercial SSL certificate and installing it

read the instructions basic docs at rapidssl, for example.:

Then generate a RSA private key without password for our domain:

# openssl genrsa -des3 -out www.example.com.key 2048
$ openssl genrsa -out www.ourdomain.com.key 1024

"When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.

NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If the private key is left unprotected, RapidSSL recommends access to the server be restricted so that only authorized server administrators can access or read the private key file."

Then, convert the RSA key to a CSR (certificate request):

$ openssl req -new -key www.ourdomain.com.key -out www.ourdomain.com.csr

Send this to your cert. authority (usually by web form). You will get a CRT back. Save this into your ssl folder:

$ nano /var/apache2/ssl/www.ourdomain.com.crt

and copy & paste the data into the file, then save.
Finally, do the required steps to activate the key+cert for your domain in Apache2:

$ nano /etc/apache2/sites-available/default

Edit like this:

# our certificate
SSLCertificateFile /etc/apache2/ssl/www.ourdomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.ourdomain.com.key

and restart Apache2

$ /etc/init.d/apache2 force-reload