[Previous] [Contents] [Next]


Creating a Key and Certificate


For ApacheSSL to operate, it needs to be configured with a private key and a certificate. ApacheSSL comes with a script that runs the openssl utility to create a key and a self-signed certificate. This is the easiest way to get started. Once the key and certificate have been created, they need to be configured into Apache. Again, the version of Apache and the patch applied are assumed to be Version 1.3.19; if a different version is used, the following steps need to be changed to include the correct directories based on the version number.

  1. Create the key and signed certificate.

    % cd /usr/local/apache_1.3.19/src
% make certificate

  2. The make certificate script asks for several fields including country, state, organization name, and the machine hostname encoded into the certificate. The script produces a file that contains both the private key and the signed certificate:

    /usr/local/apache_1.3.19/SSLconf/conf/httpsd.pem

  3. After logging in as the root user, copy the key and certificate file into the Apache installation:

    % cd /usr/local/apache_1.3.19/SSLconf/conf
% cp httpsd.pem /usr/local/apache/conf/default.pem

  4. Modify the httpsd.conf file with a text editor so that PHP files are processed by the PHP scripting engine. The configuration file is found in the directory /usr/local/apache/conf/. Remove the initial # character from the following line:

    AddType application/x-httpd-php .php

  5. Modify the httpsd.conf file by changing the Port from 80 to the secure web server port 443:

    Port 443

  6. Add the following lines to the end of the httpsd.conf file:

    #
# SSL Parameters
#
SSLCACertificateFile /usr/local/apache/conf/default.pem
SSLCertificateFile /usr/local/apache/conf/default.pem
SSLCacheServerPath /usr/local/apache/bin/gcache
SSLCacheServerPort 18698
SSLSessionCacheTimeout 3600

  7. Start Apache. Unlike a normal Apache installation, ApacheSSL creates an httpsdctl script:

    % /usr/local/apache/bin/httpsdctl start

    In some cases, this doesn't correctly start Apache. If this happens, use the following alternative commands to explicitly specify the configuration file to use with the secure Apache:

    % cd /usr/local/apache/
% bin/httpsd -f conf/httpsd.conf

  8. A secure Apache is now running and serving requests on port 443-the default HTTPS port-with SSL. This can be tested by requesting the resource https://localhost/ with a web browser. The installation process is now complete.

When a resource such as https://localhost/ is requested with a browser, the browser alerts the user to an unknown certificate. To obtain a certificate that will be trusted by users, the openssl utility needs to be run to create a private key and a certificate request. The certificate request is then sent to a Certification Authority to be signed using their authoritative certificates. There is a fee for this service. While the Apache configuration allows both the key and the certificate to be placed in the one file, the private key should not be sent to anyone, not even the Certification Authority.

If a trusted certificate is required, consult the OpenSSL documentation that describes how to create keys and Certificate Signing Requests. This documentation can be found at http://www.openssl.org/docs/apps/openssl.html.


[Previous] [Contents] [Next]


A+ Certification ASP C C# Flash HTML and CSS Java MS Access MS Excel MS Excel 2007 MS FrontPage MS PowerPoint MS Word MySQL Networking Perl and CGI Photoshop PHP PHP and MySQL Visual Basic XML XML