12. Configuring Apache for SSL

12.1. Create self-signed certificate

NoteImportant
 

This section shows how to generate a self-signed certificate that is not protected by a password. The file server.key should be made readable for the webserver only.

This section is only relevant if you don't have a certificate already, and don't prefer to buy one from a certificate authority.

In the following, make sure you enter the FQDN (Fully Qualified Domain Name) of the server when CA.pl prompts you for the "CommonName".

sh# CA.pl -newcert
sh# cp newreq.pem newreq.key
sh# vi newreq.key 

Delete everything from '-----BEGIN CERTIFICATE-----' to '-----END CERTIFICATE-----'.

sh# openssl rsa -in newreq.key -out server.key
sh# chown www server.key && chmod 600 server.key
sh# cp newreq.pem server.crt
sh# vi server.crt

Delete everything from '-----BEGIN RSA PRIVATE KEY-----' to '-----END RSA PRIVATE KEY-----'.

12.2. Configure Apache

This is just about the minimum to get SSL running. Tell Apache to listen on port 443 (in addition to 80), and configure a virtual host for port 443 with SSL enabled. For more detailed information, refer to the Apache manual at http://httpd.apache.org/docs-project/

Listen 443

<VirtualHost _default_:443>
DocumentRoot /var/www
ServerName www.example.com

SSLEngine on
SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>