Originally Published: Thursday, 31 May 2001 Author: Michael Sharp
Published to: develop_articles_tutorials/Development Tutorials Page: 1/1 - [Std View]

Installing Apache with SSL

Linux.com contributor Michael Sharp steps us through installing the world's leading web server, Apache, with SSL support.

This article outlines the steps to installing the Apache Web Server using the latest SSL technology.

Installation of Apache and SSL ( Requires OpenSSL > openssl-0.9.5a or better. www.openssl.com ).

  1. Download the latest Apache Webserver from:
  2. http://httpd.apache.org/dist/httpd/apache_1.3.19.tar.gz
  3. tar zxvf apache_1.3.19.tar.gz
  4. Download the latest apache+ssl source from: ftp://opensores.thebunker.net/pub/mirrors/apachessl/apache_1.3.9+ssl_1.42.tar.gz
  5. mv apache_1.3.9+ssl_1.42.tar.gz apache_1.3.19
  6. tar zxvf apache_1.3.9+ssl_1.42.tar.gz
  7. Run the executable: ./FixPatch
  8. ./configure --prefix=/usr/local/apache * ./configure -help to get other config time options as needed.
  9. make
  10. su -
  11. make install
  12. ln -s /usr/local/apache/conf/httpsd.conf /usr/local/apache/conf/httpd.conf
  13. cd /usr/local/apache ; mkdir certs
  14. 13. cd certs
  15. openssl genrsa -des3 -out ssl.key 1024 -days 365

    Remember the PEM password you choose! This command will create ssl.key -days 365 means you will have to do steps 14 & 16 again in 365 days

  16. At his point, you are going to create a self-signed Certificate for your site. If you will be using a CA ( Certifying Authority ) Certificate, please review http://www.linuxdoc.org/HOWTO/SSL-RedHat-HOWTO-3.html#ss3.2

    What is veryimportant to remember in creating the the ssl.crt file is deciding "what is the URL people enter to come to my web site? ". For example, if you own blah.com, and you define blah.com when creating the ssl.crt key, then people who access your site via www.blah.com will get a "Certificate Name Check" that might scare people away because it contains a ominous warning. People who access your site via http://blah.com will not get this warning. However you choose to name your server that is how you must define ServerName in the <VirtualHost> section below.

  17. openssl req -new -key ssl.key -x509 -out ssl.crt Enter your PEM; this will create ssl.crt

    This is the Information you will be presented with when issuing this command:

    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:South Carolina
    Locality Name (eg, city) []:West Columbia
    Organization Name (eg,company) [Internet Widgits Pty Ltd]:Michael Sharp
    Organizational Unit Name (eg, section) []:Secure Web Server
    Common Name (eg, your name or your server's hostname) []:reality.dynip.com
    Email Address []:msharp@medmail.com

    The Common Name portion is where you define what I was talking about in 15.

  18. edit /usr/local/apache/conf/httpsd.conf and at the bottom, under <VirtualHost> add this:

    <VirtualHost your IP or domain name:443> EXAMPLE: <VirtualHost>

    SSLCacheServerPort logs/gcache_port
    SSLCacheServerPath bin/gcache
    SSLSessionCacheTimeout 10
    SSLVerifyClient 0
    SSLVerifyDepth 10
    SSLCacheServerRunDir /tmp
    SSLRandomFile /dev/random 1024
    DocumentRoot /usr/local/apache/htdocs ServerName www.CHANGE-THIS.com
    ErrorLog /usr/local/apache/logs/httpsd_error.log TransferLog /usr/local/apache/logs/httpsd_access.log SSLEnable
    SSLCertificateFile /usr/local/apache/certs/ssl.crt SSLCertificateKeyFile /usr/local/apache/certs/ssl.key </VirtualHost>

    You must also comment out DocumentRoot, ServerName, ServerAdmin, ErrorLog, and TransferLog in the Main Server configuration:


    Where you see:

    # Port: The port to which the standalone server listens. For
    # ports < 1023, you will need httpd to be run as root initially.
    Port 8080

    change 8080 to 443

    Add any other configuration variables to the httpsd.conf file per your needs.

  19. Start the Server:

    /usr/local/apache/bin/httpsdctl start

    You will have to issue your PEM to start the web server! Don't panic just because it doesn't start immediately give it a few moments.

  20. Check out: https://YOUR-WEB-SITE to review if you were successful.

  21. Now add your content to /usr/local/apache/htdocs

    You're done!

    Michael Sharp PGP key at https://reality.dynip.com/michael-sharp.pgp. Employed with Providence Heart Institute in Columbia, SC Heavily involved in Linux Advocacy and Linux Security