Implementing SSL Certificates in Apache

Creating a Private Key

To create a private key without triple des encryption, use the following command:

openssl genrsa -out ssl.key 1024

Creating a Certificate Signing Request

To obtain a certificate signed by a certificate authority, you will need to create a Certificate Signing Request (CSR). The purpose is to send the certificate authority enough information to create the certificate without sending the entire private key or compromising any sensitive information. The CSR also contains the information that will be included in the certificate, such as, domain name, locality information, etc.

Locate the private key that you would like to create a CSR from. Enter the following command:

openssl req -new -key filename.key -out filename.csr

You will be prompted for Locality information, common name (domain name), organizational information, etc. Check with the CA that you are applying to for information on required fields and invalid entries. Send the CSR to the CA per their instructions.

Wait for your new certificate and/or create a self-signed certificate. A self-signed certificate can be used until you receive your certificate from the certificate authority.

It is not necessary to create a self-signed certificate if you are obtaining a CA-signed certificate. However, creating a self-signed certificate is very simple. All you need is a private key and the name of the server (fully qualified domain name) that you want to secure. You will be prompted for information such as locality information, common name (domain name), organizational information, etc. The only required field for the certificate to function correctly is the common name (domain name) field. If this is not present or incorrect, you will receive a Certificate Name Check warning from your browser.

To create a self-signed certificate

openssl req -new -key filename.key -x509 -out filename.crt

Configuring your Apache Server

An example of a secure virtual host:

   <VirtualHost 123.456.789.42:443>
   DocumentRoot /etc/httpd/htdocs
   ServerName www.somewhere.com
   ServerAdmin someone@somewhere.com
   ErrorLog /etc/httpd/logs/error_log
   TransferLog /etc/httpd/logs/access_log
   SSLEngine on
   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
   SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
   <Files ~ "\.(cgi|shtml)$">
         SSLOptions +StdEnvVars
   </Files>
   <Directory "/etc/httpd/cgi-bin">
         SSLOptions +StdEnvVars
   </Directory>
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
   CustomLog /etc/httpd/logs/ssl_request_log \
             "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   </VirtualHost>

The directives that are the most important for SSL are the SSLEngine on, SSLCertificateFile, SSLCertificateKeyFile, and in many cases SSLCACertificateFile directives.

Author: bpeh

Bernard Peh is a great passioner of web technologies and one of the co-founder of Sitecritic.net Website Design and Reviews. He works with experienced web designers and developers everyday, developing and designing commercial websites. He specialises mainly in SEO and PHP programming.