SUSE Conversations

Apache2 with official SSL certificate

By: geissler

April 11, 2011 11:22 am





The goal:

On a SLES 11 server, run Apache2 with an official SSL certificate.

The way:

At first it should be clear that all modules and programs are installed (e.g. Apache2, OpenSSL, and so on).

  1. Start YaST and set up a WEB site. Take care that under “Server-Modules” SSL is set to active. Don’t set up a virtual host. Close YaST by clicking finish. Attention! After this step you never touch YaST for any configuration of Apache2 server again! At this point all future configuration will be handmade… ;o)
  2. Open a shell, change with the command “su” to root rights. Create with “mkdir ca” the directory ca in a location you want. (E.g. under the temp directory in the root directory). Change with the command “cd ca” in this directory.
  3. Create with the following command a private key for your Apache2 server:
    $ openssl genrsa -des3 -out 2048

    Attention! You will be asked for a passphrase. Remember your entered passphrase, take care that you don’t lose this!

  4. Create with the following command a csr file:
    $ openssl req -new -key -out 

    Attention! You will be asked some things when the csr file is creating. Under “Common Name” enter your domain name! E.g.: Common Name (eg, YOUR name) []:*

  5. With the content of the created csr file you can get an official certificate. For this step you have to go to a certification organization like VeriSign, thawte, GeoThrust, RapidSSL, and so on. Please check on the vendors website for the procedure to get your own certificate.
  6. After finishing all formalities by your chosen vendor you get (often) two keys back. Your certification key and a intermediate key. Sometimes you have to download the intermediate key, please heed the information of your chosen vendor.
  7. Now you have three files. A file (the content of this file is your official key from your chosen vendor), a (you created this under step 3) and at last the intermediate.crt file.
  8. Copy the file to the path “/etc/apache2/ssl.crt”, the file copy to the path “etc/apache2/ssl.key”, the intermediate.crt file copy to the path /etc/apache2/ssl.crt”.
  9. Now change to the directory vhosts.d in the apache2 directory (etc/apache2/vhosts.d).

    Enter the command:

    cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts/your_favorite_ssl_ssite_name.conf
  10. Open your your_favorite_ssl_ssite_name.conf file with vi, or your favorite editor (remember you need to have root rights!), and change it until the commands look like the following example (surely you have to change the file names and domains name to your chosen names ;o) ) Please also notice that in this example all commend lines are invisible… ;o)

    ——————— vhost-file start ———————–

    <IfDefine SSL>
    <IfDefine !NOSSL>
            DocumentRoot "/srv/www/htdocs"
            ErrorLog /var/log/apache2/error_log
            TransferLog /var/log/apache2/access_log
            SSLProtocol all -SSLv2
            SSLEngine on
            SSLCipherSuite HIGH:MEDIUM
            SSLCertificateFile /etc/apache2/ssl.crt/
            SSLCertificateKeyFile /etc/apache2/ssl.key/
            SSLCertificateChainFile /etc/apache2/ssl.crt/intermediate.crt
            <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                SSLOptions +StdEnvVars
            <Directory "/srv/www/cgi-bin">
                SSLOptions +StdEnvVars
            SetEnvIf User-Agent ".*MSIE.*" \
                     nokeepalive ssl-unclean-shutdown \
                     downgrade-1.0 force-response-1.0
            CustomLog /var/log/apache2/ssl_request_log   ssl_combined

    ——————— vhost-file end ———————–

    Save the your_favorite_ssl_ssite_name.conf file.

  11. Open under “etc/apache2″ the file httpd.conf and enter on the end of the file:
    SSLPassPhraseDialog exec:/path/to/passphrase-file
  12. Create the passphrase-file in your chosen path and enter the following lines:
    echo "passphrase"

    For the passphrase insert your chosen passphrase under Step 3. Save the file and make it executable with the command “chmod +x passphrase-file”. Test the file if they deliver the passphrase. You can do this with the command “./passphrase”.

  13. Restart apache2 with the command “rcapache2 restart”.

    Normally you should now be able to open your website over SSL in your browser. If you want to access your secure website outside the hosted server ( ;o) ) remember to open the port 443 on the firewall… ;o)

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.