Installing Apache with mod_ssl

This was written using Apache 1.3.12 & mod_ssl 2.6.2 as a reference

Building Apache with mod_ssl

To start with, you will need Apache and mod_ssl. The mod_ssl package is an Apache module that allows you to serve SSL encrypted web pages. Note that mod_ssl is tied to particular versions of Apache. Make sure you grab the right one for your version. Installing Apache with mod_ssl is pretty painless. If you've gotten this far you can handle it. You must first configure Apache; don't bother configuring it the way you want. This is just to get the necessary files created for mod_ssl to do it's configuration.

When you run the configure for mod_ssl, you include Apache options, the path to your OpenSSL installation, and to Apache. Example:

./configure --prefix=/opt/apache --enable-module=info --enable-shared=max \
	--with-ssl=/usr/local/ssl --with-apache=/home/scottm/src/apache-1.3.12
This will configure mod_ssl, apply needed patches to Apache, configure mod_ssl and configure Apache. Then you go back to your Apache directory and run make.

Certificate options...

At the end of a make, you will see a message regarding making certificates. If you wish to make another CA, you can follow the instructions here. Indeed, if you are not dealing with stunnel this may be the simplest way to get things running. Note that if you follow this path you want to use the RSA signature algorithm, as most browsers currently available (such as IE and Netscape) only speak RSA and do not yet support DSA. If you do this you will get a no shared ciphers error. The reason I do not suggest this method is that you will end up with a different CA for your other certificates, which IMO is bad form. From a functionality point of view, it doesn't really make a difference. If you intend the service to be publicly accessed, you'll want to have your certificates signed by a well known CA.

If you make your own certificate you should copy it to your <apache_prefix>/conf/ssl.crt/ directory as server.crt or change the SSLCertificateFile in the httpd.conf to reference it. Also, if you've concatenated the key with the pem file as described earlier you will need to comment out SSLCertificateChainFile or you will get a key values mismatch error.


The defaults are mostly acceptable. There are a couple things you might need to change right away that are specific to the mod_ssl module. Listen, which controls the ports the server listens to when running SSL. The defaults are 8080 and 8443. In the <VirtualHost _default_:8443> section, your ServerName must match the common name that the server is using. The port number should also match the port you set in Listen. It's also important to note that you can not use name based virtual hosts with SSL. Each SSL server must be bound to its own IP or port number.

Party time

To the Apache server with SSL active, use apachectl startssl. You still can use apachectl start to start Apache without SSL support. Test your server, accept the certificate (unless you are using a certificate signed by a well known authority, you will be asked if you want to accept the certificate), and you should be using an encrypted transport for your web access.

To debug SSL server related problems, the default log file is <apache prefix>/logs/ssl_engine_log.

Back to main page
Valid HTML 4.0!