To start with, you will need Apache and mod_ssl. The mod_ssl package is an Apache module that allows you to serve SSL encrypted web pages. Note that mod_ssl is tied to particular versions of Apache. Make sure you grab the right one for your version. Installing Apache with mod_ssl is pretty painless. If you've gotten this far you can handle it. You must first configure Apache; don't bother configuring it the way you want. This is just to get the necessary files created for mod_ssl to do it's configuration.
When you run the configure for mod_ssl, you include Apache options, the path to your OpenSSL installation, and to Apache. Example:
./configure --prefix=/opt/apache --enable-module=info --enable-shared=max \ --with-ssl=/usr/local/ssl --with-apache=/home/scottm/src/apache-1.3.12This will configure mod_ssl, apply needed patches to Apache, configure mod_ssl and configure Apache. Then you go back to your Apache directory and run
make.
At the end of a make, you will see a message regarding making
certificates. If you wish to make another CA, you can follow the
instructions here. Indeed, if you are not dealing with stunnel this may be
the simplest way to get things running. Note that if you follow this path
you want to use the RSA signature algorithm, as most browsers currently
available (such as IE and Netscape) only speak RSA and do not yet support
DSA. If you do this you will get a no shared ciphers error.
The reason I do not suggest this method is that you will end up with a
different CA for your other certificates, which IMO is bad form. From a
functionality point of view, it doesn't really make a difference. If you
intend the service to be publicly accessed, you'll want to have your
certificates signed by a well known CA.
If you make your own certificate you should copy it to your
<apache_prefix>/conf/ssl.crt/ directory as
server.crt or change the SSLCertificateFile in the
httpd.conf to reference it. Also, if you've concatenated the
key with the pem file as described earlier you
will need to comment out SSLCertificateChainFile or you will
get a key values mismatch error.
The defaults are mostly acceptable. There are a couple things you might
need to change right away that are specific to the mod_ssl module.
Listen, which controls the ports the server listens to when
running SSL. The defaults are 8080 and 8443. In the
<VirtualHost _default_:8443> section, your
ServerName must match the common name that the server is using.
The port number should also match the port you set in Listen.
It's also important to note that you can not use name based
virtual hosts with SSL. Each SSL server must be bound to its own IP or port
number.
To the Apache server with SSL active, use apachectl startssl.
You still can use apachectl start to start Apache without SSL
support. Test your server, accept the certificate (unless you are using a
certificate signed by a well known authority, you will be asked if you want
to accept the certificate), and you should be using an encrypted transport
for your web access.
To debug SSL server related problems, the default log file is <apache prefix>/logs/ssl_engine_log.
scottm@octaldream.com