Sunday, 16 August 2009

Setting up SSL Certificates on Apache

Apache, imap, and exim all support ssl connections. Because I want webmail connections to be encrypted, so that passwords are not sent over the internet in plain text, I needed to create a key and a certificate for apache. For testing purposes I am going to be my own certificate authority. This will most likely be changed for the production server. You don't have to use any certificate authority - see

Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arrising from following these directions. You are responsible for your own security, use, and creation of certificates.

See for much more information. (Much of what I cover here was learned from this page.)

Quick steps:

  1. Setup and create root certificate.
  2. Create a key and signing request.
  3. Sign the request.
  4. Copy to the correct location.
  5. Edit the apache config file.
  6. Restart apache.
  7. Tips.

The following covers the command-line way of doing it. If you are using a GUI, it should be fairly simple to follow along.

Note: I am running Red Hat Linux 8.0, apache 2.x with mod_ssl, and openssl 0.9.x. Steps vary slightly when you are using a certificate authority.

1) Setup and create root certificate

See Setting up OpenSSL to Create Certificates

2) Create a key and signing request

To do this type:
openssl req -new -nodes -out name-req.pem -keyout private/name-key.pem -config ./openssl.cnf

You will be prompted for information. The critical part is the "Common Name". This must be the server's hostname, such as mail.your.domain, or the IP address. If you want to cover all subdomains you can enter *.your.domain. Use the "Organizational Unit" to remind you what the certificate is for, such as "Web Server".

Name Field Explanation Example
Country Name The two-letter ISO abbreviation for your country US = United States
State or Province Name The state or province where your organization is located. Can not be abbreviated. Georgia
City or Locality The city where your organization is located. Atlanta
Organization Name The exact legal name of your organization. Do not abbreviate SSL Secure Inc.
Organizational Unit Optional for additional organization information. Marketing
Common Name The fully qualified domain name for your web server. You will get a certificate name check warning if this is not an exact match. www.domain.tld
Email address The server admin's email address someone@your.domain

This will generate two files:
name-req.pem - the request
name-key.pem - the private key in the private directory

3) Sign the request

This will generate the certificate.

openssl ca -out name-cert.pem -config ./openssl.cnf -infiles name-req.pem

You will be prompted for the password used when creating the root certificate.

Two files are created:
name-cert.pem - which is the certificate
.pem - a copy of it in the certs directory.

4) Copy to the correct location

For apache 2.x on Red Hat using the default location, the directory is:
For the name-key.pem:
cp name-key.pem /etc/httpd/conf/ssl.key/
For the certificate:
cp name-cert.pem /etc/httpd/conf/ssl.crt/

5) Edit the apache config file

For apache on Red Hat using the default location, the config file is /etc/httpd/conf/apache.conf. Note that your apache.conf file may make use of separate config files and you may have an /etc/httpd/conf.d/ssl.conf file. Check for this first before you place the following in your apache.conf file. Create a VirtualHost section for your web server. Basic example:

DocumentRoot /var/www/html
ServerAdmin someone@your.domain
ErrorLog /etc/httpd/logs/ssl_error_log
TransferLog /etc/httpd/logs/ssl_access_log
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/name-cert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/name-key.pem

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Also see

6) Restart apache

service httpd restart

7) Tips

The certificate we created is only good for 365 days. When it expires visitors to your site will receive a warning message. Don't forget to remake your key each year, or however long you set it for.

For Squirrelmail, get the secure_login plugin. This will force https for login and switch back to http after.

1 comment:

oliver said...

Blogs like this are great! I recently wanted to solve a similar data protection issue for my site users, and although I used a Apache SSL Certificates specialist, blogs like this show you just how easy and how you can have a go at it yourself!