Apache con SSL
Managed hosts
This document is for people wishing to set up their own instance of Apache w/ OpenSSL (and root). People using managed hosting will need to speak with their providers.
This document is for people wishing to set up their own instance of Apache w/ OpenSSL (and root). People using managed hosting will need to speak with their providers.
We like apache w/ SSL support. It's awesome. Maybe that's just because I love crypto for some undefined, irrational reason. Maybe I shouldn't write documentation at 0500. You need several things:
- A certificate
- Root on your box
- Edit your httpd.conf
- Edit whatever script you have running Apache
The steps are simple, but differ between Apache2 and 1x. Apache2 builds with SSL support, whereas 1x will need to compile mod_ssl. This will differ depending on what OS/flavor you're running. You'll have to hunt for this on your own, but it shouldn't be difficult, and if you're running Apache 1.3, you should seriously consider 2, unless you're on OpenBSD or use some module that hasn't been ported yet... I'm going to assume you have this portion set up, or are willing to read google, or will leave me a comment so I can track it down.
Disclaimer - someone once asked me why I don't define SSL within the scope of this document. This is a how-to, not a cryptographic whitepaper. Please see my page on SSL.
Why do we care about SSL? Because it allows us to send private information over a secure connection instead of in plain text, so that anyone listening wont see things such as credit card numbers, addresses, passwords etc. The certificates (what we're doing now) help ensure that hosts we're sending this traffic to are who they claim to be, but further they allow us to establish the encrypted stream between the foreign host.
Step 1: Generate your certificate
Certificates are important. They have many functions, some of which are:- Identification of host
- Allowing exchange of seed/iv/salt/whatever for the symmetric algorithm across a hostile environment
- Can be revoked upon breach of security
As for identification of host, we're concerned with "is this site who it claims to be." We figure this out by checking out who issued it, and then start to read the various fields of the certificate. First of all, is the host who it claims to be? If not, and you don't expressely know this is a problem, you might be involved with an attempted man-in-the-middle attack, or just being forwarded around (like some of those lovely Ebay scams).
The thing about Certificate Authorities (CA) are that they generally identify the host, as well as charging money so that some automata can't go around spuriously generating certificates. There is a chain of trust, all the way back to the root issuers. Also, we can tune into revocation lists - that is certificates which have been invalidated either by theft of the private key, rooting of the host or anything else that might compromise your security. These lists can be sync'd automatically, and should be for all the classical issuers.
SO! You CAN generate your own certificate using the tools provided by OpenSSL/Apache, but I wouldn't for a production site. People generally go with Verisign, Thawte or any number of issuers. There's also a free sevice called CACert that is the grass-roots chain of trust. I would trust these people far more than a home generated cert, and if cost is an issue - definately go with these folks. If you can afford one of the big names, more browsers are going to accept your certificate without complaining about the issuer.
Please see apache documentation for further information about CSRs, keys, CAs and other advice.
That being said, for purposes of testing you can generate your own. This should be done as root!
openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
What you're doing:
1 generating a private key, with a password. It will ask for a password, and you obviously need to remember this. You'll need it for any time you need the key (restarting the server, generating public keys, signing things... anything where you need a private key). Yes you can generate without the password (see -des3), but it's a dumb idea because then someone can just take your cert
2 Generation of Certificate Signing Request. When you run this you're building your certificate for your server, along with things such as OU, location, IP. This is rather important to get right - certificates with bogus information should ALWAYS be thrown out by a smart user. Make sure to use a fully qualified domain name as your common name portion
3 The signing. This is where you sign the cert with your own key. You shouldn't do this - instead use CACert or another "trusted" company. But, when this is done (by whomever) you have a certificate that Apache can use, that users will encrypt things to (at least the initial exchange anyway).
2 Generation of Certificate Signing Request. When you run this you're building your certificate for your server, along with things such as OU, location, IP. This is rather important to get right - certificates with bogus information should ALWAYS be thrown out by a smart user. Make sure to use a fully qualified domain name as your common name portion
3 The signing. This is where you sign the cert with your own key. You shouldn't do this - instead use CACert or another "trusted" company. But, when this is done (by whomever) you have a certificate that Apache can use, that users will encrypt things to (at least the initial exchange anyway).
Most hosting services will do all this for you, but will charge. You really should allow step 3 to be done by CACert or a charging company... I can't stress that enough.
You should now have your key (the .key) and your certificate (.crt), these are needed for the next step. Please move these to directories OUTSIDE of your htdocs. These should remain on the filesystem, owned by www/apache/httpd/whatever user and not accessable by any other user, except possibly for read - and even then you should be careful about your private key. I say to generate/move as root because it's easier to move things about (and your web user shouldn't have login enabled anyway...)
Step 2: apache
httpd.conf snippet:ServerName ip
NameVirtualHost ip:80
<VirtualHost ip:80>
ServerName ip
DocumentRoot /path/to/htdocs
RewriteEngine On
</VirtualHost>
#you really do want this, it does the https magic. I promise.
NameVirtualHost ip:443
<VirtualHost ip:443>
ServerName ip
ServerAdmin email@host
DocumentRoot /path/to/htdocs
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
</VirtualHost>
NameVirtualHost ip:80
<VirtualHost ip:80>
ServerName ip
DocumentRoot /path/to/htdocs
RewriteEngine On
</VirtualHost>
#you really do want this, it does the https magic. I promise.
NameVirtualHost ip:443
<VirtualHost ip:443>
ServerName ip
ServerAdmin email@host
DocumentRoot /path/to/htdocs
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
</VirtualHost>
Strictly speaking you don't need to have the virtualhost for 80 setup, but it's nice to force SSL on a given directory, or force non-SSL on others. Alter that snippet accordingly w/ htdoc roots, emails, ips etc.
Apache run scripts
Depending on what OS/Flavor you run you're going to need to do this differently. Linux will need to alter the init scripts (/etc/init.d if memory serves), Unix will alter the rc.d scripts, and Windows... I have no idea.
Instead of Apachectl/httpd/whatever, you'll need -k start -DSSL. You can alternately throw in the switch "startssl" - but I like to do -DSSL so I can remember the fact that you NEED to give it -DSSL to stop/restart/anything else. Startssl is just an alias for -k start -DSSL, and restart/whatever alone will NOT work. Please remember this... it can cause a lot of aggravation
You WILL be prompted every restart of apache for the password for your key. This can be fun when throwing apache the argument -DSSL on startup (init.d/rc.d scripts). Beware.
Notes
- helpful link for those of you running FreeBSD- Apache2 docs about SSL certs
- Gentoo Wiki article on apache/self-signed SSL
This page is CategorySecurity
