Apache2 with official SSL certificate
On a SLES 11 server, run Apache2 with an official SSL certificate.
At first it should be clear that all modules and programs are installed (e.g. Apache2, OpenSSL, and so on).
- Start YaST and set up a WEB site. Take care that under “Server-Modules” SSL is set to active. Don’t set up a virtual host. Close YaST by clicking finish. Attention! After this step you never touch YaST for any configuration of Apache2 server again! At this point all future configuration will be handmade… ;o)
- Open a shell, change with the command “su” to root rights. Create with “mkdir ca” the directory ca in a location you want. (E.g. under the temp directory in the root directory). Change with the command “cd ca” in this directory.
- Create with the following command a private key for your Apache2 server:
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
Attention! You will be asked for a passphrase. Remember your entered passphrase, take care that you don’t lose this!
- Create with the following command a csr file:
$ openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr
Attention! You will be asked some things when the csr file is creating. Under “Common Name” enter your domain name! E.g.: Common Name (eg, YOUR name) :*.mydomain.com
- With the content of the created csr file you can get an official certificate. For this step you have to go to a certification organization like VeriSign, thawte, GeoThrust, RapidSSL, and so on. Please check on the vendors website for the procedure to get your own certificate.
- After finishing all formalities by your chosen vendor you get (often) two keys back. Your certification key and a intermediate key. Sometimes you have to download the intermediate key, please heed the information of your chosen vendor.
- Now you have three files. A www.yourdomain-example.com.crt file (the content of this file is your official key from your chosen vendor), a www.your-domian-example.com.key (you created this under step 3) and at last the intermediate.crt file.
- Copy the file www.yourdomain-example.com.crt to the path “/etc/apache2/ssl.crt”, the file www.yourdomain-example.com.key copy to the path “etc/apache2/ssl.key”, the intermediate.crt file copy to the path /etc/apache2/ssl.crt”.
- Now change to the directory vhosts.d in the apache2 directory (etc/apache2/vhosts.d).
Enter the command:
cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/your_favorite_ssl_ssite_name.conf
- Open your your_favorite_ssl_ssite_name.conf file with vi, or your favorite editor (remember you need to have root rights!), and change it until the commands look like the following example (surely you have to change the file names and domains name to your chosen names ;o) ) Please also notice that in this example all commend lines are invisible… ;o)
——————— vhost-file start ———————–
<IfDefine SSL> <IfDefine !NOSSL> <VirtualHost www.your-domian-example.com:443> DocumentRoot "/srv/www/htdocs" ServerName www.your-domian-example.com:443 ServerAdmin email@example.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLProtocol all -SSLv2 SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /etc/apache2/ssl.crt/www.your-domian-example.com.crt SSLCertificateKeyFile /etc/apache2/ssl.key/www.your-domian-example.com.key SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine>
——————— vhost-file end ———————–
Save the your_favorite_ssl_ssite_name.conf file.
- Open under “etc/apache2” the file httpd.conf and enter on the end of the file:
- Create the passphrase-file in your chosen path and enter the following lines:
#!/bin/sh echo "passphrase"
For the passphrase insert your chosen passphrase under Step 3. Save the file and make it executable with the command “chmod +x passphrase-file”. Test the file if they deliver the passphrase. You can do this with the command “./passphrase”.
- Restart apache2 with the command “rcapache2 restart”.
Normally you should now be able to open your website over SSL in your browser. If you want to access your secure website outside the hosted server ( ;o) ) remember to open the port 443 on the firewall… ;o)