Setup Apache2 for https

From ThorstensHome
Revision as of 12:23, 4 July 2007 by WikiSysop (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This article describes how you can secure your webpage running on apache2 with https. You create demo-certificates yourself for this. This is for SUSE Linux, for Fedora, I recommend http://www.linux-sxs.org/internet_serving/apache2.html

This article assumes you are running on SUSE Linux. It assumes your e-Mail-address is root@localhost and your server's IP is 10.0.0.1. You may want to replace these. It also assumes you have not more than one virtual server on your apache, it changes the settings of all virtual servers. This article assumes you have already a a webpage that can be displayed, it takes http://10.0.0.1 as example location of your webpage. This article assumes you know about SSL, https and certificates.

  1. set up your Certification authority
  2. cd /usr/share/ssl/misc
    ./CA.pl -newca
    

    remember the passphrase you are giving. The common name has to be your server's IP.
    Note:
    To delete a Certification Authority that has been created accidentially, you can do a rm -rf /usr/share/ssl/misc/demoCA

  3. Create a certificate signing request
  4. ./CA.pl -newreq
    

    again, you have to use your server's IP as common name. You may leave the challenge password blank.

  5. sign the CSR
  6. ./CA.pl -sign
    
  7. copy the files to the right locations
  8. cp /usr/share/ssl/misc/newcert.pem /etc/apache2/ssl.crt/server.crt
    cp /usr/share/ssl/misc/newreq.pem /etc/apache2/ssl.key/server.key
    
  9. get your SSL Configuration from the given template
  10. cd /etc/apache2/vhosts.d
    cp vhost-ssl.template vhost-ssl.conf
    
  11. change your SSL Configuration
    1. In vhost-ssl.conf, replace
    2. #ServerName www.example.com:443
      

      to

      ServerName 10.0.0.1
      
    3. replace
    4. #ServerAdmin webmaster@example.com
      

      to

      ServerAdmin root@localhost
      
    5. replace
    6. <VirtualHost _default_:443>
      

      to

      <VirtualHost *:443>
      
    7. have apache2 start per default with SSL
    8. edit /etc/sysconfig/apache2: replace

      APACHE_SERVER_FLAGS=""
      

      to

      APACHE_SERVER_FLAGS="SSL"
      
    9. change
    10. APACHE_SERVERNAME=""
      

      to

      APACHE_SERVERNAME="10.0.0.1"
      
  12. enable name-based virtual servers
  13. edit /etc/apache2/listen.conf, replace

    #NameVirtualHost *:80
    

    by

    NameVirtualHost *:80
    
  14. create dummy-certificates
  15. /usr/bin/gensslcert
    
  16. restart apache2
  17. /etc/init.d/apache2 restart
    
  18. test your configuration
  19. surf to https://10.0.0.1/ Expected result: The browser complains it does not know the server's certificate.