mod_ssl and OpenSSL

<LOGIN> October 1, 2023, 10:11 am

Configuration Files

Purchase Certificate

Creating the Certificate

To create the Key and Certificate we will need to go to a command line where the openssl.exe was copied. In this example we copied the oppenssl.exe to Apache Group/Apache2/Bin directory. The examples below will create two files named "my-server.key" and "my-server.crt". to create the files type in the openssl command in bold.

To sum everything up we will run the following three openssl commands

Create a private key and a CSR (Certificate Signing Request)
  openssl req -config openssl.cnf -new -out my-server.csr

Remove Passphrase from Key file we just created above
  openssl rsa -in privkey.pem -out my-server.key

Create a temporary Self-Signed Certificate -for testing only, not the real thing
  openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 365

NOTE: The name "my-server" in the examples below is a name you make up or assign yourself that is associated with a domain that will require a certificate. However, if you are following all the examples use "my-server" for now. We can always go back and repeat the examples assiging a more meaningful name for "my-server".

Create a private key and CSR

"openssl req -config openssl.cnf -new -out my-server.csr".
The openssl req command will prompt you for additional information to create and processes certificate requests in PKCS#10 format using the config file openssl.cnf. After the completion of this command you will have a certificate signing request and a private key.

When prompt for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.com). The certificate belongs to this server name and browsers complain if the name doesn't match.

Pass Phrase! Whats a pass phrase? Its a password but its like a phrase, 'How are you'. This had me stumped for a while and its going to be your first prompt on this command. Regardless, we will be removing this concept in the next step.

Sample Prompt

Certificate signing request.

Remove Pass Phrase

"openssl rsa -in privkey.pem -out my-server.key".
The openssl rsa command as shown above will remove the pass phrase from the RSA private key. You MUST understand what this means; "my-server.key" should be only readable by the apache server and the administrator. If it exists, you should delete the ".rnd" file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

If you choose to leave and not remove the passphrase on your SSL private key file - then each time you start up the Apache Server a pop-up dialog will be displayed prompting you to enter the pass phrase. For some people this may pose a problem when the system experience a crash or reboot and no one is around to enter the pass phrase after an automatic reboot.

Sample Prompt

Remove pass phrase on an RSA private key.

Create Self-Signed Certificate

"openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 365".
The openssl x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a ``mini CA'' or edit certificate trust settings. The above example will creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

Sample Prompt

Self-signed certificate.

Copy the Certificate

After typing the above commands we created three files - "my-server.csr", "my-server.key" and "my-server.crt".

NOTE: the Certificate Signing Request file "my-server.csr" will not be used in this example. This file is required as a copy/paste and send to your selected SSL provider such as www.rapidssl.com to purchase a real certificate.

We now need to copy the files to the Apache Group/Apache2/conf/ssl directory. If the ssl directory does not exist in Apache Group/Apache2/conf/ then create it.

Copy the file "my-server.key" from the Apache Group/Apache2/Bin directory to the Apache Group/Apache2/conf/ssl directory.
Copy the file "my-server.crt" from the Apache Group/Apache2/Bin directory to the Apache Group/Apache2/conf/ssl directory.

Start the Server and Test https

At this point we are finished! hopefully we will be able to access the server using SSL support by using https instead of http. Its advise to start the server from a command line using the command "apache -k start". This way if we made any mistakes we can view the error message from the console. We can also check the error.log and SSL.log for any errors.

NOTE: If your using a router dont forget to open its port to 443!.

To test https type in on the browser address line
https://www.my-server.com:443
where "www.my-server.com" is found in your ssl.conf VirtualHost setting for ServerName. If all goes well we will be asked if we want to proceed using the Security Certificate.

cert

Configuration Files

Purchase Certificate

Related Articles

OpenSSL Certificate Cookbook Describes how to set up OpenSSL to use it as a certificate authority
Pass Phrase Remove the Pass Phrase - OpenSSL version
Another Pass Phrase Remove the Pass Phrase - Apache version
Setting Up a Secure Server Teach Yourself Apache 2
Introducing SSL and Certificates Introduction to SSL concepts for someone who is familiar with the Web, HTTP
Client Certificate Authentication With Apache demonstrates how Apache can be used to control access based on a web client's digital certificate
FAQ mod_ssl
OpenSSL by Eric A. Young and Tim J. Hudson
Pass Phrase The word or phrase that protects private key files
About Certificates Apache.org

Home | Introduction | Configuration Files | Certificates & Keys | Purchasing a Certificates