This guide will help you setup SSL with apache2. This assumes you have already installed the default lamp stack in Ubuntu Intrepid.
In order to make sure we have the necessary packages in place, open your terminal and type :
sudo apt-get install apache2 apache2.2-common apache2-utils openssl openssl-blacklist openssl-blacklist-extra
To set up your secure server, use public key cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company’s identity, and payment to a Certificate Authority (CA). The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user’s browser. Users are prompted by the browser to accept the certificate and create the secure connection.
Once you have a self-signed certificate or a signed certificate from the CA of your choice, you need to install it on your secure server.
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key.
Generating a Certificate Signing Request (CSR)
To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:
openssl genrsa -des3 -out server.key 4096
You can also run your secure web server without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure web server. But it is highly insecure and a compromise of the key means a compromise of the server as well.
In any case, you can choose to run your secure web server without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:
openssl rsa -in server.key -out server.key.insecure>
You can use this file to generate the CSR without passphrase.
Then create a certificate signing request with it. This command will prompt for a series of things (Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address, A Challenge password, An Optional Company Name ). Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name, or the IP address you specify in your Apache configuration. If they don’t match, client browsers will get a “domain mismatch” message when going to your https web server.
The default values for the questions ([AU], Internet Widgits Pty Ltd, etc.) are stored here: /etc/ssl/openssl.cnf. So if you’ve got a large number of certificate signing requests to process you probably want to carefully edit that file where appropriate. Otherwise, to create the CSR, run the following command at a terminal prompt:
openssl req -new -key server.key -out server.csr
You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.
Creating a Self-Signed Certificate
Now sign the certificate signing request. This example lasts 365 days. Run the following command at a terminal prompt:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The above command will prompt you to enter the passphrase (if using the secure key). Once you enter the correct passphrase, your certificate will be created and it will be stored in the server.crt file.
Installing the Certificate
Copy the server.crt and server.key files into position.
sudo mkdir /etc/apache2/ssl/
sudo cp server.crt /etc/apache2/ssl/
sudo cp server.key /etc/apache2/ssl/
Enable the SSL module for Apache2
open your terminal and type :
sudo a2enmod ssl
Create and enable the SSL site
First we need to create a virtualhost for our site by copying the default skeleton:
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.salimane.com
Then edit the content to look like the following :
sudo gedit /etc/apache2/sites-available/www.salimane.com
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName www.salimane.com
LogLevel warn
ErrorLog /var/log/apache2/www.salimane.com.error.log
CustomLog /var/log/apache2/www.salimane.com.access.log combined
DocumentRoot /var/www/www.salimane.com/
<Directory /var/www/www.salimane.com/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
Now enable the site by typing :
sudo a2ensite www.salimane.com
Instruct Apache to listen to 443
we have to edit apache ports configuration file located at /etc/apache2/ports.conf :
sudo gedit /etc/apache2/ports.conf
By default it looks like :
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
we have to add the https NameVirtualHost. So edit it to look like :
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
NameVirtualHost *:443
Listen 443
</IfModule>
Don’t forget to edit your /etc/hosts file if you’re running on your local box with www.salimane.com pointing to 127.0.0.1
Now you should restart the server. If you used a key with a passphrase , you will be prompted to enter the passphrase every time you want to restart the server. Once you enter the correct passphrase, the secure web server will be started.
sudo /etc/init.d/apache2 restart
Accessing the Server
You can access the secure server pages by typing https://www.salimane.com in your browser address bar. If you use a self- signed certificate , you will be greeted with “Secure Connection Failed” on firefox. Just ignore that and click “Or you can add an exception…” then “Add Exception…”
