Setting up Apache with mod-ssl

This is very quick and dirty guide to setting up Apache with mod-ssl. The end result is a secure connection but one that is not signed by a certificate authority. Thhis means that it is fine for testing and personal use because you probably trust yourself and are only interested in having an encrypted link but it is not ok for, say, an ecommerce site.

Make sure you have mod-ssl installed and loading correctly first. If apache starts without issuing errors and mentions mod-ssl in /etc/apache/module.conf then it is all working as it should be. If this isn’t the case you will need to install mod-ssl but I think it comes as standard.

Under /etc/apache there are a five directories that contain information that is required to have a fully working SSL set up they are the following:

* ssl.crl : Certificate revocation list. Put revoked certificates here. we don’t need to worry about this folder at the moment.
* ssl.crt : This is where the certificates are stored.
* ssl.csr : For certificate signing requests.
* ssl.key : The keys go here.
* ssl.prm : Contains the parameter files for creating the keys.

Create the Key

Switch to the key directory (ssl.key) and create a new key for your server that doesn’t require a pass phrase. You can use a pass phrase but it will cause apache to hang on start up waiting for you to enter the value. This means that we are relying on the box being secure both physically and virtually. As long as the private key is only readable by the people that should be allowed to read it this isn’t that much of a problem. If you box has been rooted, which would be about the only way to get hold of the certificate, you probably want a new certificate anyway to make there isn’t going to be a problem. Create the key with the following command making obvious substitutions (Note: I have made up the entropy below so there is no point trying to copy my private key):

openssl genrsa -out www.crazysquirrel.com.key 1024
Generating RSA private key, 2048 bit long modulus
…………..++……………….++……………………………+++
…………….++………………..++……………+…………………….+++
e is 392874 (0x40307)

Which will make the file crazysquirrel.com.key which is you private key. It is imperative that this key remains private and is not accessible to the world in general


Create the Certificate Signing Request

You now have to create the certificate signing request. This would normally be sent to a widely known certificate authority who would then send you back the certificate to use. We just wan’t a testing system so there is no point in shelling out hundereds of pounds for a properly signed certificate but we still have to create the signing request. Execute the following command from the key directory (I’m assuming you have the standard set up):

openssl req -new -key www.crazysquirrel.com.key -out ../ssl.csr/www.crazysquirrel.com.csr

You will be asked a number of questions about the certificate. The process is quite painless but it is important that you give valid information if you are intending to use this certificate to run a real server. If it is a testing certificate I suggest to avoid confusion you indicate that in the certificate information. The one bit of information that is really improtant is the CN or common name. This must match your domain name exactly or the browesr will complain.

Once you have answered all the questions you should now have a certificate signing request in /etc/apache/ssl.csr called “crazysquirre.com.csr”. It’s worth pointing out that you almost certainly want to make a back up copy of your key file. If you loose it you have to get a new certificate which may be costly.

Self-signing the Key

You now have to sign the key. Swtich to the ssl.csr directory and check that the csr is there first then execute the command.

openssl x509 -in www.crazysquirrel.com.csr
-out ../ssl.crt/www.crazysquirrel.com.crt
-req -signkey ../ssl.key/www.crazysquirrel.com.key -days 365

Note: That command should all be on one line. I have had to split it to make it fit. The output is very brief:

Signature ok
subject=/C=US/ST=Somewhere/L=Somehow/O=CrazySquirrel/OU=Something/
CN=www.crazysquirrel.com/emailAddress=foo@crazysquirrel.com
Getting Private key

But you should now have a certificate in the ssl.crt directory.
Installing and Restarting Apache

Add the following lines to you httpd.conf file:

SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/www.crazysquirrel.com.crt
SSLCertificateKeyFile /etc/apache/ssl.key/www.crazysquirrel.com.key

You now have to perform a full server restart. Normally you can do a simple /etc/init.d/apache restart but for some reason that won’t work here and you have to do /etc/init.d/apache stop then /etc/init.d/apache start. If you don’t you will recieve the error message:

[error] mod_ssl: Init: (www.crazysquirrel.com:80) Ops, no RSA or DSA server\
certificate found?!
[error] mod_ssl: Init: (www.crazysquirrel.com:80) You have to perform a *full* server\
restart when you added or removed a certificate and/or key file

Possible Problems

I’m running a system that includes virtual servers which makes the setup a tiny bit more complex. Following the instructions above I get the following error message (in /var/log/apache/error.log) when I try to start the server.

[error] mod_ssl: Init: (www.xfly.co.uk:80) Illegal attempt to re-initialise\
SSL for server (theoretically shouldn’t happen!)

This is fixed by including the lines that activate the SSL Engine in a virtual host decleration rather than in the main server definition. I think it has something to do with the way mod-ssl is compiled but don’t quote me on that. Anyway an example virtual host decleration is show below:


ServerAdmin webmaster@crazysquirel.com
DocumentRoot /somewhere/crazysquirrel.com
ServerName www.crazysquirrel.com
ErrorLog /var/log/apache/error.log
CustomLog /var/log/apache/crazysquirrel.log combined

SSLEngine on
SSLCertificateFile /etc/apache/ssl.crt/www.crazysquirrel.com.crt
SSLCertificateKeyFile /etc/apache/ssl.key/www.crazysquirrel.com.key
SSLLog /var/log/apache/crazysquirrel_ssl.log
SSLLogLevel warn

The other problem you may encounter is not having Apache bind port 443. In your server configuration file (httpd.conf) you need to enter the lines:

Listen 80
Listen 443

If you enter only the second line Apache won’t bind port 80 and your non-ssl websites will stop working.


cat server.key server.crt > server.pem
chmod 0600 server.pem

From : http://gb3.crazysquirrel.com/debian/apache-modssl.php