Setting up SSL Certificates on Apache

Apache, imap, and exim all support ssl connections. Because I want webmail connections to be encrypted, so that passwords are not sent over the internet in plain text, I needed to create a key and a certificate for apache. For testing purposes I am going to be my own certificate authority. This will most likely be changed for the production server. You don't have to use any certificate authority - see http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO.html

Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arrising from following these directions. You are responsible for your own security, use, and creation of certificates.

See http://www.eclectica.ca/ssl-cert-howto.php for much more information. (Much of what I cover here was learned from this page.)

Quick steps:

  1. Setup and create root certificate.
  2. Create a key and signing request.
  3. Sign the request.
  4. Copy to the correct location.
  5. Edit the apache config file.
  6. Restart apache.
  7. Tips.

The following covers the command-line way of doing it. If you are using a GUI, it should be fairly simple to follow along.

Note: I am running Red Hat Linux 8.0, apache 2.x with mod_ssl, and openssl 0.9.x. Steps vary slightly when you are using a certificate authority.

1) Setup and create root certificate

See Setting up OpenSSL to Create Certificates

2) Create a key and signing request

To do this type:
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf

You will be prompted for information. The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address. If you want to cover all subdomains you can enter *.your.domain. Use the "Organizational Unit" to remind you what the certificate is for, such as "Web Server".

Name Field Explanation Example
Country Name The two-letter ISO abbreviation for your country US = United States
State or Province Name The state or province where your organization is located. Can not be abbreviated. Georgia
City or Locality The city where your organization is located. Atlanta
Organization Name The exact legal name of your organization. Do not abbreviate SSL Secure Inc.
Organizational Unit Optional for additional organization information. Marketing
Common Name The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match. www.domain.tld
Email address The server admin's email address someone@your.domain

This will generate two files:
name-req.pem - the request
name-key.pem - the private key in the private directory

3) Sign the request

This will generate the certificate.

Type:
openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem

You will be prompted for the password used when creating the root certificate.

Two files are created:
name-cert.pem - which is the certificate
<number>.pem - a copy of it in the certs directory.

4) Copy to the correct location

For apache 2.x on Red Hat using the default location, the directory is:
For the name-key.pem:
cp name-key.pem /etc/httpd/conf/ssl.key/
For the certificate:
cp name-cert.pem /etc/httpd/conf/ssl.crt/

5) Edit the apache config file

For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file. Create a VirtualHost section for your web server. Basic example:

<VirtualHost 192.168.1.1:443>
     DocumentRoot /var/www/html
     ServerName 192.168.1.98
     ServerAdmin someone@your.domain
     ErrorLog /etc/httpd/logs/ssl_error_log
     TransferLog /etc/httpd/logs/ssl_access_log
     SSLEngine On
     SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem
     SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name-key.pem
    <Files ~ "\.(cgi|shtml|php)$">
      SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
      SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    CustomLog /etc/httpd/logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Also see http://httpd.apache.org/docs-2.0/mod/mod_ssl.html

6) Restart apache

Example:
service httpd restart

7) Tips

The certificate we created is only good for 365 days. When it expires visitors to your site will receive a warning message. Don't forget to remake your key each year, or however long you set it for.

For Squirrelmail, get the secure_login plugin. This will force https for login and switch back to http after.

This was the most accurate SSL tutorial on a Red Hat based syste

This was the most accurate SSL tutorial on a Red Hat based system!!!

Thank you very much! Really

Thank you very much!
Really helpful!

permission denied error

On a third step, after I provide the password, I get following error:

"./serial: Permission denied
error while loading serial number"

Any idea? Serial folder is present, though it is empty. Under property for this folder, 'read-only' box is filled-in but not checked.

thanks

permission denied error

Make sure 'serial' is a file, not a folder. Go back to step 3 here, in "Setting up OpenSSL to Create Certificates".

All commands, unless stated otherwise, assume you are using the same user ID/account throughout. For example it could be you created the 'serial' file as root and are now trying to sign the certificate using another user ID. Also, you should be running the commands, unless stated otherwise, from the 'sslcert' directory. Re-read step 1 here if needed.

greetings

very very useful indeed, it cleared my doubts

Is the following directive

Is the following directive correct? Isn't it supposed to end with .crt ?

SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem

The 'pem' suffix is AOK in this context...

The 'pem' suffix is AOK in this context because Apache need only reference this file; what's important is that it is pem-encoded, not that it's named as such.

On the other hand, if you are your own CA, and plan to deliver your CA certificate via a web page, Apache has a mime-type for files with suffix '.crt'. Naming your CA Authority Certificate file '*.crt' allows you to serve it up directly from a web page into a user's Certificate Authority store.

Thanks for the explaining it

Thanks for the explaining it clearly. Saved me lot of time.

Can it be done for shared ip address?

Can you set up ssl if you have a shared ip address ?

Re: Can it be done for shared ip addresses?

You might want to do a web search for the key words:
openssl shared certificate
Ala Google: http://www.google.com/search?q=openssl+shared+certificate

I have no experience with the various methods out there, as mine leads more torwards multiple IPs and one domain name (ala load balancing).

Thanks!

Thanks! It was quite useful
Greetings from Spain

Super ;)

Thanks for the script!

Greets, Diamondo25