Setting up SSL with Apache

Q I've been using Apache on my web server for some time. I must admit I found it quite difficult to configure from the command line but I eventually got it done, thanks to the help of a lot of kind-hearted Linux folk on the Internet. I now need to add a secure area because our developers have made a members-only section. They want this to be SSL encrypted and I need to get an SSL certificate. I'm not sure how to proceed from here though. I've had a look on Google and I can't find a guide that's on a basic enough level for me. Everything I want to do should be standard - I don't need to know about all the options and that's where I think I'm getting confused. Thanks in advance.

A Setting up an SSL-enabled website isn't nearly as complex as it seems at first. This can be divided into two tasks: getting the SSL certificate and configuring Apache. To set up the SSL certificate, you first need to generate a private key. Once generated, make sure you keep this key in a safe place because you'll need it if you ever need to regenerate your certificate or move your site to another server.

# cd /etc/httpd/conf
# /usr/bin/openssl genrsa 1024 > ssl.key/mydomain-com.key

With this key you can generate a Certificate Signing Request (CSR). This needs to be sent to an SSL certificate provider (Thawte, Verisign and so on). The following command willgenerate the CSR:

# /usr/bin/openssl req -new -key ssl.key/mydomain-com.key > ssl.csr/mydomain-com.csr

Enter your details as appropriate, taking special care to enter your domain name exactly as it will appear in your URL for the 'Common Name' -in other words, secure.mydomain.com or www.mydomain.com. Also, be sure to leave the 'Challenge password' blank. If you enter a password here, you'll need to enter this each time Apache starts up. You can now head over to Verisign/Thawte and purchase a certificate. Be sure to enter the details you give them exactly as you entered them for the CSR you just generated. It will take them some time to verify your company and get back to you with your actual certificate. When you receive your certificate, save it to you server under /etc/httpd/ conf/ssl.crt/mydomain-com.crt. Lastly, we need to tell Apache that this certificate exists and how to use it. Every certificate will require a dedicated IP address to listen on. Make sure that Apache is configured to use this IP address and is listed on port 443, then add a new Virtual Host block for your secure site. Simply copy the details from the non-secure block and change the IP and port and add the following lines:

SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain-com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain-com.key

At this stage, restarting Apache should bring your SSL site up. Verify this at https://mydomain.com by looking for the secure padlock icon in your browser.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar