Creating Self-Signed Certs on Apache 2.2

May 13, 2007
by Chris Barber apache, linux, ssl No Comments

Security is a always a big concern and there’s no reason your website should go unsecure. You can secure your Apache website with a self-signed SSL certificate. This post describes the process using Apache 2.2 and OpenSSL on a Ubuntu Linux server.

Begin by generating a private key:

$ openssl genrsa -out mycert.key 1024

Next, generating a certificate request and enter the information:

$ openssl req -new -key mycert.key -out mycert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, generate the self-signed certificate. You can specify the number of days the cert is valid for.

$ openssl x509 -req -days 365 -in mycert.csr -signkey mycert.key -out mycert.cert
Signature ok
subject=/C=/ST=/L=/O=/CN=
Getting Private key

You no longer need the .csr request file. Create a folder and move the .key and .cert files into it:

$ sudo mkdir /etc/apache2/ssl
$ sudo mv *.cert /etc/apache2/ssl
$ sudo mv *.key /etc/apache2/ssl
$ sudo chmod 400 /etc/apache2/ssl/*.key

If the cert is protected with a password, by default Apache will prompt for the password when it starts. This can be a problem since you will need to enter the password each time Apache is restarted. We can fix this by having Apache call a program that returns the password.

Create the shell script /etc/apache2/ssl/password.sh and enter the following:

#!/bin/bash
echo “password”;

Next we need to tell Apache to run the script. Apache’s SSL settings are stored in:

/etc/apache2/mods-enabled/ssl.conf

Edit the file and change the SSLPassPhraseDialog to:

SSLPassPhraseDialog exec:/etc/apache2/ssl/password.sh

The last step is to assign the certificate to your Apache site by editing the sites file:

/etc/apache2/sites-enabled/000-default

You’ll need to configure the SSL settings for the site:

<VirtualHost 192.168.1.100:443>
        ...
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/mycert.cert
        SSLCertificateKeyFile /etc/apache2/ssl/mycert.key
        ...
</VirtualHost>

Don’t forget to tell Apache to listen on port 443 in the /etc/apache2/ports.conf file. Restart Apache with sudo apache2ctl restart and you should be a little closer to being secure.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Reddit

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment