Setting up Apache and OpenSSL using self signed certificates

This page describes what I needed to do to set up Apache to provide HTTPS connections using OpenSSL. I did’nt spend money to get SSL certificates commercially signed. Instead, I self signed them. This is OK for me, since the people acessing the HTTPS pages I set up are few and local. The method I use was pointed out to me by James Gingerich on the PSU LUG mailing list. An alternative method to generate self signed certificates can be found here. The system I worked on was basically a stock RedHat 7.2 (so the paths I refer to are those on a RedHat 7.2 installation). So all the software I needed was installed and I only needed to edit the default supplied files. FYI, the versions of the software I used was

* Apache 1.3.20
* mod_ssl 2.8.4
* OpenSSL 0.9.6b
* RedHat Linux 7.2, kernel 2.4.7-10

The first stage is to create the self signed certificates.

1. Copy openssl.cnf from /usr/share/ssl to the current directory
2. openssl req -config openssl.cnf -new -out my-server.csr
3. openssl rsa -in privkey.pem -out my-server.key (When it asks for common name supply the FQDN of your host)
4. openssl x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365

The next stage is to set up Apache to use the certificate and key to allow HTTPS connections. The steps are:

1. Copy my-server.key and my-server.cert to some directory (read only by root) - say /etc/httpd/conf/
2. Next open up /etc/httpd/conf/httpd.conf You should find the lines starting with SSLCertificateFile and SSLCertificateKeyFile. If present set them to the full path of the certificate and key files you generated above. For this example we thus have: SSLCertificateFile /etc/httpd/conf/my-server.cert SSLCertificateKeyFile /etc/httpd/conf/my-server.key
3. Now we need to make sure that all HTTPS related pages do not become unencrypted (ie HTTP). The best way to do this (and also disallow people accessing sensitive pages just by using http:// rather than https://) is to set up a <VirtualHost> context for HTTPS related pages. There is an entry in the default httpd.conf (beginning with <VirtualHost _default_:443>) which you can edit. Or else you can just delete it and paste the directives provided below. <VirtualHost _default_:443> DocumentRoot “/var/www/chem6? ErrorLog logs/error_log TransferLog logs/access_log ScriptAlias /cgi-bin/ “/var/www/chem6/cgi-bin/” <Directory “/var/www/chem6/cgi-bin”> AllowOverride None Options None Order allow,deny Allow from all </Directory> SSLEngine on SSLCertificateFile /etc/httpd/conf/my-server.cert SSLCertificateKeyFile /etc/httpd/conf/my-server.key <Files ~ ”.(cgi|shtml|phtml|php3?)$”> SSLOptions StdEnvVars </Files> <Directory “/var/www/chem6?> SSLOptions StdEnvVars CompatEnvVars </Directory> SetEnvIf User-Agent ”.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b” </VirtualHost>
4. Save httpd.conf. Restart Apache!

Some comments regarding the above setup:

* There are a load of commented directives present in the default httpd.conf. Deleting them seemed to be OK for me. The above section is what I have set up.
* The DocumentRoot is the directory (make sure its different from the default value for the Apache installation) where the SSL part of the site resides. My application needed the login as well as subsequent pages to be encrypted. The CGI programs would output plain HTML which was being showed as HTTP and not HTTPS. Hence placing the whole site within this virtual host ensures that all pages from and after the login page are encrypted.
* To keep things neet, I also make a cgi-bin directory under DocumentRoot. The ScriptAlias and subsequent <Directory> directives ensure that the HTML POST method works (initally I had everything in the same directory but I was getting ‘Error 405: Method not allowed’ whenever the cgi script was accessed. The 2 directives above fixed that.

Finally some comments regarding self signed certificates as pointed out by James Gingerich

* Self signed certificates will result in the client (ie browser) popping up a message mentioning that it was not issued by someone it (ie client) trusts.
* Self signed certificates expire after a relatively short time. After that the client will popup a message mentioning that that the certificate may not be valid.
* The SSL-RedHat-HOWTO provides a more comprehensive discussion of Apache and OpenSSL.

©Rajarshi Guha, September 2002

Leave a Reply

You must be logged in to post a comment.