Open Source

SolutionBase: Setting up an SSL-enabled Web site with Apache 2.2.4

The world's most popular Web server should be able to support secure Web browsing through the use of SSL certificates, right? Without much effort, you can get Apache running with SSL quickly. Scott Lowe gives the details.

As the world's most popular Web server, you would expect Apache to be able to support secure Web browsing through the use of SSL certificates. If this is your expectation, you're in luck; without much effort, you can get Apache up and running with SSL in no time at all.

Getting started

As with most open source software, you can opt to either build your installation from source files or you can locate the appropriate software packages for your Linux distribution and use your distribution's native tools to handle installation. Since Apache supports a multitude of installation options, I'm going to use the build from scratch method to install Apache with SSL support for the article. For this article, I'm using Fedora 7 for my operating system.

A nice thing about Apache 2+ is that you don't need to do a lot of messing around in order to get SSL working. With older versions of Apache, you had to separately download and configure mod_ssl. For Apache 2 and 2.2 — I'm using Apache 2.2.4 in this article — you just need to provide some additional configuration information.

To get started, download the Apache 2.2.4 (or the most recent version) source, which is available for download from the Apache Web site. As of this writing, the latest version of Apache available is 2.2.4. I've saved the file — named httpd-2.2.4.tar.gz — to a folder named /usr/src on my server. I like to save installations in this location so I have them for the future.

The next few commands are entered from a command line. I've put them, in order, in Table A.

Table A

cd /usr/src

Change to the directory to which you saved the Apache source download.

tar    zxvf httpd-2.2.4.tar.gz

Extract the contents of the downloaded file into a subdirectory named httpd-2.2.0.

cd httpd-2.2.4

Change to the new source directory.

./configure \ —prefix=/usr/local/apache \ —enable-ssl \   —enable-setenvif

Install the Web server to the directory identified by the prefix directive. This step may take quite some time, as the installer checks for a number of items on your system.

I'm keeping this installation very simple. There's a lot more you can configure in to Apache, but in the interest of clarity, I'm omitting a lot of things.

The —enable-ssl directive, as you might expect, activates Apache's built-in encryption capabilities to protect visitors to your Web site.

The —enable-setenvif directive gives Apache the capability to handle some quirks in Internet Explorer. Since IE remains the world's most popular Web browser, support for it is rather important.

make

Compile Apache.

make install

Copy the newly compiled binaries to the /usr/local/apache directory/ (and to other places on your system, as needed).

/usr/local/apache/bin/apachectl start

Start Apache with its default configuration file.

When you're done with the steps in Table A, browse to your new server. You should get a "It works!" message, as shown in Figure A.

Figure A

Apache was successfully installed.

Before you do too much, you should configure Apache to automatically start when your system boots. The steps to make this happen depend on which Linux distribution you're using. Please refer to your system docs for more information. Until you take the steps necessary to get Apache starting automatically with your server, use the "start" command in the last part of Table A.

Configuring SSL

When you install Apache using the above method, a couple of things happen:

  • You get a working Web server, which is always good.
  • Apache's primary configuration file — httpd.conf (located at /usr/local/apache/conf) — is created with an entry that says "#include conf/extra/httpd-ssl.conf". The # at the beginning of the line indicates that this directive is commented out. Uncomment this line and save your changes. From there, if you want to make SSL configuration changes, you need to make the changes to the file named /usr/local/apache/conf/extra/httpd-ssl.conf. Personally, I like this separation of directives. It keeps the SSL stuff separate and less confusing. Don't make any changes to httpd-ssl.conf here; I will walk through the steps that make the default httpd-ssl.conf file work for you.
  • By default, this kind of Apache installation looks for a certificate file named /usr/local/apache/conf/server.crt. As such, I will show you how to create a self-signed certificate for your server. Table B shows you how to create a self-signed certificate and restart Apache using SSL. Make certain that you have uncommented the include conf/extra/httpd-ssl.conf line in your httpd.conf file before you continue.

Table B

cd /usr/local/apache/conf

Change to Apache's configuration directory. For this example, this is the location in which SSL keys and certificates will be stored.

openssl genrsa -des3 -out server.key 1024

Generates an RSA private key. During this process, you will be asked for a pass phrase associated with this private key. Don't lose this pass phrase, as you will need it later. The -des3 directive here encrypts the contents of this private key. When you use the -des3 directive, you will need to provide your key's pass phrase when you start your Apache server. If you want to avoid doing this, simply omit the -des3 directive, but understand that this is a less secure situation.

Sample output:

[root@apache conf]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

........ ++++++

........ ++++++

e is 65537 (0x10001)

Enter pass phrase for server.key: <passphrase>

Verifying - Enter pass phrase for server.key: <passphrase>

openssl req -new -key server.key -out www.example.com.csr

With the private key created, you now generate a Certificate Signing Request (CSR). This will be used to generate the certificate for your server. If you were using a third party to provide your certificate, they would need this CSR file in order to fulfill your request.

During this step, you're asked a number of questions about your organization. Make sure the information is accurate. Pay particular attention to the Common Name (CN) field. In this field, provide your server's fully qualified domain name (www.example.com). If you do not, visitors will get SSL errors.

Sample output:

[root@apache conf]# openssl req -new -key server.key -out www.example.com.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

——-

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:Missouri

Locality Name (eg, city) [Newbury]:Fulton

Organization Name (eg, company) [My Company Ltd]:Scott

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:admin@example.com

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

openssl x509 -req -days 730 -in www.example.com.csr -signkey server.key -out server.crt

Now, using a combination of the private key and the CSR file, you can generate your certificate. Notice that there are a few parameters associated with this command. The x509, along with the -req parameter, indicates that you want to use a self-signed certificate. The -days parameter can only be used when you use a self-signed certificate and indicates the number of days for which the certificate is valid. -in www.example.com.csr indicates the input filename from which to read a request. The -signkey server.key parameter is also used for self-signed certificates and indicates the file name that holds the private key that you created with the openssl genrsa command. Finally, -out server.crt is the name of the certificate file that is generated. Note in the output below that you need the pass phrase that you used when you created the private key. OpenSSL will prompt you to enter this pass phrase.

Sample output:

[root@apache conf]# openssl x509 -req -days 730 -in www.example.com.csr -signkey server.key -out server.crt

Signature ok

subject=/C=US/ST=Missouri

/L=Fulton/O=Scott/OU=IT

/CN=www.example.com

/emailAddress=admin@example.com

Getting Private key

Enter pass phrase for server.key: <passphrase>

/usr/local/apache/bin/apachectl stop

Make sure to stop any running Apache instances.

/usr/local/apache/bin/apachectl start

Restart Apache. Now that you how uncommented include conf/extra/httpd-ssl.conf, the directives found in that file will be loaded as a part of your Apache configuration. In older versions of Apache, you would use apachestl startssl to start Apache with SSL enabled. This is no longer true in Apache 2.2.4. Also note that, if you chose to encrypt your private key, you need to enter the pass phrase you provided earlier.

Sample output:

Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

Now, browse to your site using https to see if things work. In this case, I'll browse to https://www.example.com. You will get a certificate error, shown in Figure B, indicating that the certificate may not be valid. This is true for self-signed certificates. Bear in mind that the purpose of SSL is to protect your personal information. If anyone could create self-signed certificates that appeared 100 percent valid, the Internet would be a whole lot more dangerous. A warning message is a good way to tell users to be wary.

Figure B

This certificate warning is normal for a self-signed certificate.

Press the Examine Certificate button to get more details about the certificate. You'll see a screen similar to the one in Figure C.

Figure C

Certificate details.

Once you're at your page, note the lock in your browser indicating that you have a secure connection with the site. Again, you still need to make sure you trust the site, but at least the information is encrypted.

About Scott Lowe

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

Editor's Picks

Free Newsletters, In your Inbox