SUSE Conversations


Apache2 with official SSL certificate



By: geissler

April 11, 2011 11:22 am

Reads:2543

Comments:0

Rating:5.0

The goal:

On a SLES 11 server, run Apache2 with an official SSL certificate.

The way:

At first it should be clear that all modules and programs are installed (e.g. Apache2, OpenSSL, and so on).

  1. Start YaST and set up a WEB site. Take care that under “Server-Modules” SSL is set to active. Don’t set up a virtual host. Close YaST by clicking finish. Attention! After this step you never touch YaST for any configuration of Apache2 server again! At this point all future configuration will be handmade… ;o)
  2. Open a shell, change with the command “su” to root rights. Create with “mkdir ca” the directory ca in a location you want. (E.g. under the temp directory in the root directory). Change with the command “cd ca” in this directory.
  3. Create with the following command a private key for your Apache2 server:
    $ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
    	
    	

    Attention! You will be asked for a passphrase. Remember your entered passphrase, take care that you don’t lose this!

  4. Create with the following command a csr file:
    $ openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr 
    
    

    Attention! You will be asked some things when the csr file is creating. Under “Common Name” enter your domain name! E.g.: Common Name (eg, YOUR name) []:*.mydomain.com

  5. With the content of the created csr file you can get an official certificate. For this step you have to go to a certification organization like VeriSign, thawte, GeoThrust, RapidSSL, and so on. Please check on the vendors website for the procedure to get your own certificate.
  6. After finishing all formalities by your chosen vendor you get (often) two keys back. Your certification key and a intermediate key. Sometimes you have to download the intermediate key, please heed the information of your chosen vendor.
  7. Now you have three files. A www.yourdomain-example.com.crt file (the content of this file is your official key from your chosen vendor), a www.your-domian-example.com.key (you created this under step 3) and at last the intermediate.crt file.
  8. Copy the file www.yourdomain-example.com.crt to the path “/etc/apache2/ssl.crt”, the file www.yourdomain-example.com.key copy to the path “etc/apache2/ssl.key”, the intermediate.crt file copy to the path /etc/apache2/ssl.crt”.
  9. Now change to the directory vhosts.d in the apache2 directory (etc/apache2/vhosts.d).

    Enter the command:

    cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/your_favorite_ssl_ssite_name.conf
  10. Open your your_favorite_ssl_ssite_name.conf file with vi, or your favorite editor (remember you need to have root rights!), and change it until the commands look like the following example (surely you have to change the file names and domains name to your chosen names ;o) ) Please also notice that in this example all commend lines are invisible… ;o)

    ——————— vhost-file start ———————–

    
    <IfDefine SSL>
    <IfDefine !NOSSL>
    
    <VirtualHost www.your-domian-example.com:443>
    
            DocumentRoot "/srv/www/htdocs"
            ServerName www.your-domian-example.com:443 
            ServerAdmin name@your-domian-example.com 
            ErrorLog /var/log/apache2/error_log
            TransferLog /var/log/apache2/access_log
    
            SSLProtocol all -SSLv2
    
            SSLEngine on
    
            SSLCipherSuite HIGH:MEDIUM
    
            SSLCertificateFile /etc/apache2/ssl.crt/www.your-domian-example.com.crt
    
            SSLCertificateKeyFile /etc/apache2/ssl.key/www.your-domian-example.com.key
    
            SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt
    
            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
            </Files>
            <Directory "/srv/www/cgi-bin">
                SSLOptions +StdEnvVars
            </Directory>
    
            SetEnvIf User-Agent ".*MSIE.*" \
                     nokeepalive ssl-unclean-shutdown \
                     downgrade-1.0 force-response-1.0
    
            CustomLog /var/log/apache2/ssl_request_log   ssl_combined
            
    </VirtualHost>
    
    </IfDefine>
    </IfDefine>
    
    

    ——————— vhost-file end ———————–

    Save the your_favorite_ssl_ssite_name.conf file.

  11. Open under “etc/apache2″ the file httpd.conf and enter on the end of the file:
    SSLPassPhraseDialog exec:/path/to/passphrase-file
    
    
  12. Create the passphrase-file in your chosen path and enter the following lines:
    #!/bin/sh
    echo "passphrase"
    
    

    For the passphrase insert your chosen passphrase under Step 3. Save the file and make it executable with the command “chmod +x passphrase-file”. Test the file if they deliver the passphrase. You can do this with the command “./passphrase”.

  13. Restart apache2 with the command “rcapache2 restart”.

    Normally you should now be able to open your website over SSL in your browser. If you want to access your secure website outside the hosted server ( ;o) ) remember to open the port 443 on the firewall… ;o)

VN:D [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:D [1.9.22_1171]
Rating: +1 (from 1 vote)
Apache2 with official SSL certificate, 5.0 out of 5 based on 1 rating

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS