20090323 apache 2 https on ubuntu - plembo/onemoretech GitHub Wiki

title: Apache 2 HTTPS on Ubuntu link: https://onemoretech.wordpress.com/2009/03/23/apache-2-https-on-ubuntu/ author: lembobro description: post_id: 352 created: 2009/03/23 06:27:37 created_gmt: 2009/03/23 06:27:37 comment_status: open post_name: apache-2-https-on-ubuntu status: publish post_type: post

Apache 2 HTTPS on Ubuntu

Just some quick notes on how I ssl-enabled apache2 on Ubuntu 8.10 (Intrepid).

Basic process is similar to what I did with slapd, except for the major difference that the standard openssl toolkit was used throughout. The Ubuntu Server Guide contains the all too brief procedure for setting things up with the default “snakeoil.com” self-signed certificate, which is clearly inadequate for all but the most bush league test environments. The more detailed chapter on Certificates describes the correct way to do things.

1. Enable the mod_ssl module for apache2 (included in the apache2-common package) by invoking the command:

sudo a2enmod ssl.

2. Create a server key (that will not require a passphrase to access) as follows:

First create the secure key, providing a passphrase when prompted.

openssl genrsa -des3 -out https_server.key 1024

Then create an “insecure” version stripping out the passphrase:

openssl rsa -in https_server.key -out https_server.key.insecure

Copy these keys to /etc/ssl/private.

3. Generate a certificate request with this command (all on one line):

openssl req -new -key /etc/ssl/private/https_server.key.insecure -out https_server.csr

4. Submit this request to your CA (in my case, the free cacert.org service), and copy the resulting signed certificate to /etc/ssl/newcerts.

5. Edit /etc/apache2/sites-enabled/default-ssl to make the the SSLCertificateFile and SSLCertificateKeyFile directives point to the correct paths.

6. Restart apache2 with a /etc/init.d/apache2 restart.

7. Make sure that the signing CA’s root certificate has been imported into your browser (most commercial CA’s ship with every browser, although some may be out of date — since the cacert.org root cert does not, I needed to import it by going up and clicking on the Root Certificate link to import the PEM format Class 3 PKI key certificate.

8. Test by connecting to the newly ssl-enabled site with your browser using HTTPS.

Copyright 2004-2019 Phil Lembo