How to set up SSL certificates for the Apache + modssl package

The two main steps involved are, a) install apache then b) get the SSL certificates to work. Instructions regarding non-ssl apache installation are readily available.  However, I found that the SSL certificate generation was not documented in a concise manner in the package.  The "snake-oil" certs that come with Apache are not useful and the documentation for manually adding certs is in various places.  This HOW-TO is an attempt to consolidate the whole process into one document for easy reference.  Ideally this HOW-TO would be distributed with the FreeBSD apache+modssl package/port as a README-SSL so that users would be saved the trouble of searching the web to find it.  Also, it would be best if the README-SSL file was installed in /usr/local/etc/apache so that people that are looking at the certificate directories and editing the config files can easily find it.  The instructions are for FreeBSD 4.5.

The instructions below assume you don't want to spend the extra money to get Verisign, Thawte, or some other Certificate Authority (CA) to sign your server certificate. If you do want to spend the money, see the FAQ at www.modssl.org for info.

1. Install the FreeBSD cdrom package (from cd #3 in FreeBSD 4.5) in the distribution as root.

Put cd in drive and mount by typing

# mount /cdrom

Next go to where the apache+modssl package is by typing

# cd /cdrom/packages/www

View the packages available with

# ls apache*

Then add the package by typing

# pkg_add apache+mod_ssl-1.3.22+2.8.5_4.tgz
 

2. Edit the httpd.conf file in /usr/local/etc/apache to be as you want it. I left the following SSL configuration lines as they are in the default.

See apache documentation for details at www.apache.org or the documentation files on your system at /usr/local/share/doc/apache/ for details on apache configuration.

3. Use the openssl program to make ca.crt and server.crt.

3.1 Make server SSL certificate

Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):

# openssl genrsa -des3 -out server.key 1024

Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command:

# openssl rsa -noout -text -in server.key

And you could create a decrypted PEM version (not recommended) of this RSA private key via:

# openssl rsa -in server.key -out server.key.unsecure

Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

# openssl req -new -key server.key -out server.csr

Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command

# openssl req -noout -text -in server.csr

3.2. Make CA certificate

Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):

# openssl genrsa -des3 -out ca.key 1024

Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command

# openssl rsa -noout -text -in ca.key

And you can create a decrypted PEM version (not recommended) of this private key via:

# openssl rsa -in ca.key -out ca.key.unsecure

Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):

# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You can see the details of this Certificate via the command:

# openssl x509 -noout -text -in ca.crt
 
 

4. Use the signcert script to sign the server cert as your own CA.

Use the CA to sign the server CSR's in order to create real SSL Certificates for use inside an Apache webserver:

# ./signcert server.csr

This signs the server CSR and results in a server.crt file.
 
 

5. Copy the server certificate file and certificate key file to the apache server key directory as specified in httpd.conf.

# cp server.crt /usr/local/etc/apache/ssl.crt/server.crt

# cp server.key /usr/local/etc/apache/ssl.key/server.key
 

6. Test start apache

# /usr/local/sbin/apachectl startssl

You will have to type in your key passphrase. The reason why this message comes up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is secure enough you perform two steps:

Remove the encryption from the RSA private key (while preserving the original file):

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

Make sure the server.key file is now only readable by root:

# chmod 400 server.key

Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another server, and have the key readable only by root).

Now all you have to do is update your rc.local.conf to start apache whenever you boot up.
 

Attachment:

Space courtesy of Corserv.