Generating an SSL certificate for Apache

Q Can you point me in the right direction for generating an SSL certificate and applying it to an Apache web server on a Red Hat Enterprise Linux 4 server and a Fedora server?

A Configuring secure connections on the Apache web server on RHEL4 and FC4 is one of the most useful things you can learn to do with your Apache server. The majority of commercial public websites should be using a certificate that has been signed with a trusted key from a recognised certificate authority to indicate a higher level of trust than is required for internal company or personal websites. You can create such a key with OpenSSL (www.openssl.org), which I'll assume you have installed as it's a standard component. First, create a private key. You could secure it with a pass phrase, but depending on how security-conscious you are I would recommend removing it, as it will mean delaying or disabling your entire web server if you do not manually enter the pass phrase when the web server restarts. You'll use the openssl package's help files to create the certificate with the root user. Before you overwrite any current certificate, move it out of the way with

mv /etc/httpd/conf/ssl.*/server* /root/

Next cd /etc/pki/tls/certs (FC4) or cd /usr/share/ssl/certs/ (RHEL4) and run make testcert. This will ask you for a pass phrase, which we will remove later. Fill out the other information it asks for. The most important bit is 'Common Name []', where you should put the domain name that you want the secure site to run off. Generating the key should put the files in the correct place. You should then make sure the default configuration Apache mod_ssl file (/etc/httpd/conf.d/ssl.conf) has the correct information - the two parameters SSLCertificateFile and SSLCertificateKeyFile, the certificate and key file respectively, should correctly reflect the location. Now remove the pass phrase if you want the site to restart without manual intervention and make sure that Apache starts when the machine does with the chkconfig file. Do

cd /etc/httpd/conf/ssl.key/
openssl rsa -in server.key -out server.
nopassphrase.key
mv server.key server.key.orig
mv server.nopassphrase.key server.
key
chkconfig httpd on

This is how you configure Apache on RHEL4 and FC4 to serve HTTPS requests from the default DocumentRoot. Bear in mind that due to the way TLS/SSL works you need one IP address per TLS/SSL site.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar