Setting up an SSL Certificate in Apache | WebReference

Setting up an SSL Certificate in Apache

By Sukrit Dhandhania


[next]

The Apache web browser was designed in an era where they could not foresee some of the issues faced in the modern times. When the HTTP protocol, the one used by Apache for its communication, was designed, it was assumed that data transmission would be secure. Times have changed and network security has become rather important to us, especially for certain tasks. That is where SSL certificates come in. SSL is a protocol for cryptographically securing transactions between a web browser and a web server. The way it works is that the server has a certificate, which it uses to guarantee to the client that the correction is to the right host.

SSL certificates are used by web servers on a different port - port 443, as opposed to port 80 used for HTTP. Port 443 is for HHTPS traffic. Let's look at how to set this up for your server. You need an SSL certificate, access to an installation of the Apache web server compiled with SSL support, and the operating system on which it is running, and the port 443 to be open.

How SSL Works

Here's how SSL certification works:

1. The client browser connects to the web server and gives a list of available ciphers.
2. The server then picks the strongest cipher that both parties support, and returns a certificate with its name and public encryption key, signed by a trusted Certificate Authority (CA). The client checks the certificate with the CA.
3. The client then returns a random number encrypted with the server's public key. Only the client knows the number, and only the server can decrypt it (using a private key).
4. The Server and client use this random number to generate key material to use for the rest of the transaction. Voila, you have your secure connection.

Get or Create an SSL Certificate

Step one is to figure out what level of security you are looking for. If you are looking at purchasing your SSL certificate there are several domain registrars on the web that issue SSL certificates. The cost varies from company to company. Alternatively, you can generate your own SSL certificate. To buy a certificate, go to a registrar such as Verisign or Network Solutions. There are several other options too. Generating your own certificate is a less secure and trusted approach, but great for testing out the process without spending a penny. Run the following in a terminal command line on your server, replacing -subj '/O=Company/OU=Department/CN=www.sevenacross.com' with your domain. This bit will generate a self-signed certificate:

This step should create two files, server.key and server.crt. Copy these files into /etc/apache2/ssl or whatever directory you store your apache related files in. Also, make sure that you set the file permissions of these files so that server.key is only readable by the root user, and server.crt is world readable, but only root should be able to write to it.

Setup Apache to Use SSL Certificate

First, make sure that Apache has SSL support enabled. Open the config files for Apache, apache.conf or httpd.conf, and check for the line Include /etc/apache2/mod_ssl.conf. If it's not there, add it and restart the web server. Also, check to see if the following entries exist:

Now edit the file /etc/apache2/sites-enabled/yoursite and add the location of the SSL certificate files. Find the following lines and change the path to contain the location of the files, server.crt and server.key:

The configuration file will look something like this:

Testing the Configuration

Now that you have made the necessary changes to the Apache configuration file you need to restart the web server and test out the new settings. To restart the server use a command like # service httpd restart. The test for this setup is quite straightforward. You need to make sure that you have a page available at the root location of your domain name. Then go the address https://www.yourdomain.com, replacing yourdomain with your correct domain name. You should see a bunch of messages telling you that you have received a new SSL certificate.

If you are planning to use SSL certificates on a web service or a website, I would strongly advise you against using a certificate generated by you. Instead, make sure you get a certificate from an established CA. It not only ensures greater security but also works in your favor when trust issues come up with people visiting your website.

Original: January 27, 2010


[next]