1. configure your apache with ssl
# ./configure --prefix=/usr/local/apache2 --enable-rewrite --enable-ssl --with-ssl=/usr/include/openssl
2. create a sign key without pass phrase *
# openssl genrsa -out server.key 1024
or if with pass phrase
# openssl genrsa -des3 -out server.key 1024
3. create a certificate request. use this when you purchase your certificate. (or do no. 4 for self signed certificate)
# openssl req -new -key server.key -out server.csr
(leave the challenge password blank)
4. create a self signed certificate
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
5. modify your httpd.conf file to add ssl key and cetrificate
<VirtualHost 127.0.0.1:443>
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
</VirtualHost>
6. place your ssl key and certificate files into the directory paths you supplied in your httpd.conf (above)
7. start apache with ssl
# /etc/init.d/httpd startssl
* you should NOT generate the RSA private key with a pass phrase if you have scripts that restart apache with ssl automatically, else, it will require you to enter the pass phrase before it starts apache with ssl
8. edit apache startup script to launch with ssl
include DSSL in start start script /etc/init.d/httpd
$HTTPD -k $ARGV -DSSL
9. allow ssl port through your firewall. if you're using iptables, add this
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
to verify the contents of the certificate request, use the this comand:
# openssl req -noout -text -in server.csr
to view the contents of the private key, use the command below:
# openssl rsa -noout -text -in server.key
to use SSLv3 instead of TLSv3, add this in ssl.conf:
SSSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
to test ssl connection
# openssl s_client -connect localhost:443
No comments:
Post a Comment