SSL stands for Secure Sockets Layer and TLS stands for Transport Layer Security. They are a family protocols that were originially designed to provide security for HTTP transactions, but can also be used for other internet protocols. The following will describe the procedure for configuring the Apache2 HTTP server to provide HTTPS connections using OpenSSL.
Managing Certificates
To have a working SSL implementation, the first step is to create a server certificate using the openssl command.
A public/private key pair must be generated before you can create a certificate request. Create the key with the following command line:
$ openssl genrsa -des3 -out server.key 1024
genrsaindicates to generate a key pairdes3indicates the key protected by a pass phraseoutindicates where to store the results1024indicates the number of bits of the generated key
This certificate will prompt Apache to ask for the passphrase at each startup. If you don’t want Apache to prompt you for a passphrase everytime you start or restart it, remove the “-des3” option.
To learn about the contents of the key file use the following command:
$ openssl rsa -noout -text -in server.key
To get a certificate issued by a CA, you must submit what is called a certificate signing request. To create a request, issue the following command:
$ openssl req -new -key server.key -out server.csr
You will be prompted to enter the certificate information, it’s important that the Common Name field entry matches the address of your website. If the name is different, a warning from the web browser indicating the mismatch will be issue to the user.
To learn about the contents of the certificate use the following command:
$ openssl req -noout -text -in server.csr
You can submit the certificate signing request file to a CA for processing, if it’s for board internet use. For example: VeriSign or Thawte. If the certificate is for development, testing or internal use, you can create a self-signed certificate.
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The default value is 30 days without the “-days” option.
Note: Your certificate private key should be only readable by the root user.
Configuring Apache for Ubuntu
Place the certificate and the certificate private key in the directory /etc/apache2/ssl.
Enable the ssl module for Apache
$ a2enmod ssl
Enable Apache to listen to the HTTPS default port 443 by adding the following line to the /etc/apache2/ports.conf
<IfModule mod_ssl.c> Listen 443 </IfModule>
Inside the virtual host or httpd.conf configuration file add the lines similar to the following:
<VirtualHost _default_:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
</VirtualHost>
Redirecting HTTP traffic to HTTPS
If you want to force users to use HTTPS, you can redirect all HTTP traffic to the HTTPS site.
Enable URL rewrite support by executing the following command:
$ a2enmod rewrite
In the virtual host or httpd.conf configuration file add the following three lines under the <VirtualHost *:80> line:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Related posts: