SSL Certificates with Apache + mod_ssl

In this post I carry some of my old notes on how to build and install an SSL certificate on an Apache web server 1.3. * With mod_ssl. For more detailed and complete reference documentation that is located at http://www.modssl.org/docs / `and` man page of openssl. An html version of the latter is at http://www.openssl.org/docs/ .

Using the `toolkit` openssl can generate an RSA private key, which later associate to a CSR (Certificate Signing Request). Let's see how to generate the RSA private key and assign it as the Apache webserver. The example below refers to the distribution of FreeBSD 6.0-RELEASE with Apache 1.3.33, but is easily extended to any other platform:

First you must create the RSA private key, or a 1024-bit RSA key which is encrypted using a triple-DES and stored in a file. Pem file as ASCII text. To make more complex the encryption and - consequently - more secure the key, we will use a series of files as random seed. These files are any that were previously compressed with `gzip`:
$ openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024 You will be prompted for a password. It is important to keep your password in a safe place for any reason if the password is lost, the key generated will be completely useless! Do not underestimate this recommendation because such an error can result in the expenditure of a considerable sum of money to generate a new certificate due to the loss of a private key, the Certificate Authority that have been approached (for example: VeriSign ), Thawte , etc..) will require re-payment of the amount already paid for the release of the previous certificate. This is an amount that exceeds - when I write - the EURO 400.00 / year!
Since you set a password for the key thus generated, each time you restart Apache will have to enter or - better - Apache to pass by a simple bash script that can be invoked directly in httpd.conf:
SSLPassPhraseDialog exec:/usr/local/etc/apache/password.sh The script will simply be something like the following:
#!/bin/sh echo "password123" #!/bin/sh echo "password123" . If you do not want to use any password (not recommended!) Is always the possibility of removing the triple-DES encryption from the key. If you opt for a similar solution, at least make sure that the key is readable only by root: if others were able to obtain the decrypted private key, the certificate will be revoked immediately associated with it, for obvious reasons. That said, here is how to remove the encryption from the key:
$ openssl rsa -in server.key -out server.pem

Now that we have the private key, we can generate the CSR (Certificate Signing Request). The CSR can be used in two ways:

By submitting your CSR to a Certificate Authority, this will verify the identity of the applicant and issue a certificate signed
Using the CSR to generate a certificate self-produced

We deal here of the second hypothesis: the case in which the CSR is used to generate a certificate self-produced, that is not recognized by any Certificate Authority. Certificates of this kind do not give any warranty of reliability to the navigator, but are technically equivalent to the actual certificates and therefore allow maximum security when transmitting / receiving data while browsing.

During the process of creating the CSR will be asked some information through simple text prompt. This information will then be the attributes of the X.509 certificate. The most important input regarding the "Common Name (eg, YOUR name)" which must match the FQDN (Fully Qualified Domain Name) of the server that will connect SSL protected. The command to generate the CSR is the following:

$ openssl req -new -key server.key -out server.csr Without this, we proceed by generating a self-certificate using the command:

$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt The certificate thus produced will be valid for 10 years.

Has now to make changes to the configuration of the Apache webserver. It should first be identified to move the directory where the certificate, in our case:

/usr/local/apache/etc/ssl.crt/ /usr/local/apache/etc/ssl.key/

Once moved the certificates simply edit the httpd.conf file so that, at each restart Apache to load the settings for that virtual host must respond in SSL. Here is a fairly simple one that works on the standard port 443:

# SSL Virtual Hosts <IfDefine SSL> <VirtualHost _default_:443> ServerAdmin webmaster@agliardi.net DocumentRoot /usr/local/apache/share/htdocs ServerName www.agliardi.net ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/ SSLEngine on SSLCertificateFile /usr/local/apache/etc/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/etc/ssl.key/server.pem SSLPassPhraseDialog exec:/usr/local/etc/apache/password.sh SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /usr/local/apache/var/log/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> # SSL Virtual Hosts <IfDefine SSL> <VirtualHost _default_:443> ServerAdmin webmaster@agliardi.net DocumentRoot /usr/local/apache/share/htdocs ServerName www.agliardi.net ScriptAlias /cgi-bin/ /usr/local/apache/share/htdocs/cgi-bin/ SSLEngine on SSLCertificateFile /usr/local/apache/etc/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/etc/ssl.key/server.pem SSLPassPhraseDialog exec:/usr/local/etc/apache/password.sh SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /usr/local/apache/var/log/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> These instructions will cause the creation of a SSL Virtual Host called www.agliardi.net and accessible on port 443, the default IP address of your webserver. You can add all of the SSL Virtual Host that you need, but care must be taken to specify a different port for each of them! Unless you have a fully dedicated IP address for each domain, which happens quite rarely.