Adding SSL to Apache

Background

The Apache server needs to be rebuilt with the module which interfaces to the Secure Sockets Layer (SSL). SSL allows secure encrypted traffic between Apache and Web browsers.

Objectives

Build and install a version of Apache with SSL support.
Set up server keys and a certificate.

Steps

Configure Apache to use SSL

We need to build the SSL module into Apache. We will take this opportunity to build in some other modules which we may need later and to save us from having to do more Apache builds. By now you should feel comfortable building Apache.

You need to be webuser for this.
Switch to the Apache source directory.
cd ~/build/httpd-2.0.49

make clean

Edit the configuration script ../configure_apache to read as follows. The new lines are highlighted.

./configure --prefix=/usr/local/apache-2.0.49 \
    --libexecdir=/webpages/libexec \
    --with-mpm=prefork \
    --enable-info \
    --enable-usertrack \
    --enable-ssl \
    --enable-dav \
    --enable-proxy \
    --enable-rewrite \
    --enable-so

Configure Apache.
../configure_apache
Build Apache
make
Install Apache as root.
cd /webpages/build/httpd-2.0.49

make install

Create a certificate

We are going to create a self signed certificate for SSL. This would not be done in practice unless it is to be used in a local environment. For Internet use, a certificate would be obtained from a certificate authority.

Switch to the webuser window.
Attach to configuration directory.
cd /webpages/conf
Create an RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
openssl genrsa -des3 -out ca.key 1024
Give and confirm a pass phrase. Make sure that you remember it!
Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter the pass phrase for your private key.
You will now be asked to enter some information to create a Distinguished Name. Fill in the details as follows, substituting your machine name in steps 6 and 7 below. You may provide your own Distinguished Name information if you wish.
1. Country Name (2 letter code) [XY]: US

2. State or Province Name (full name) []: Florida

3. Locality Name (eg, city) []: Tallahassee

4. Organization Name (eg, company) []: Apache Anonymous

5. Organizational Unit Name (eg, section) []: Web Server Team

6. Common Name (eg, FQDN) []: tribe.web.net

7. Email Address (eg, name@FQDN) []: webuser@tribe.web.net

Configure Apache

Switch to the webuser window.
Edit the Apache configuration file. We are going to use a define for the SSL directives so that we can start the server without SSL support.

Add the following lines to the configuration file after the define for Tomcat.

<IfDefine SSL>
  Listen 443
  <VirtualHost _default_:443>
    SSLEngine On
    SSLCertificateFile /webpages/conf/ca.crt
    SSLCertificateKeyFile /webpages/conf/ca.key
  </VirtualHost>
</IfDefine>

Start Apache.

Switch to the root window.
Start the server.
testsite -DSSL
Enter the key pass phrase when asked.

Verify insecure operations.

Enter the following URL into Mozilla.
http://localhost/info
You should see an insecure Web page.

Verify secure operation.

Enter the following URL into Mozilla.
https://tribe.web.net
You should be presented with a dialog informing you of the receipt of a new site certificate.
Click the Examine Certificate button.
You should be presented with a dialog informing you of the new site certificate's details.
Click the Close button.
Check Accept this Certificate Permanently.
Click the OK button.
You should be presented with Security Warning.
Select the OK
You should see the secure Web pages.

Look at certificates in Mozilla.

Select Edit | Preferences | Privacy & Security | Certificates | Manage Certificates
Take a look at the list of Certificate Authorities.

Congratulations! You have successfully set up a secure server!