Date: Wed, 20 Nov 2002 16:54:28 +0200 From: "Toomas Aas" <toomas.aas@raad.tartu.ee> To: rsclark@kingwoodcable.net, questions@freebsd.org Subject: Re: FreeBSD 4.x and Apache+mod_ssl Message-ID: <200211201455.gAKEtsO29534@lv.raad.tartu.ee> In-Reply-To: <20021120141514.728543500E3@ms1kw.tx.shawcable.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > Thanks for the help, but I am either too sleepy or too slow to make > this work right. You're lucky. I just enabled mod_ssl on one of my Apache servers yesterday, and being fed up of crawling around the documentation each time I needed to do this, I decided to make notes this time. I hope they'll help you. 1. Create your own CA (if unwilling to pay Verisign): Generate private key: openssl genrsa -des3 -out ca.key 1024 Generate the x.509 certificate: openssl req -new -x509 -days 365 -key ca.key -out ca.crt I chose to put the CA files in /usr/local/ca, but this is purely matter of taste. When creating the certificate, make sure that CN (Common name) does *not* match the name of any of the web servers you want to certify. It will cause grief later down the road. 2. Create server's private key and Certificate Signing Request. openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr Apache+mod_ssl seems to place these files in /usr/local/etc/apache/ssl.key, so I decided to keep mine in the same place. When creating the CSR, make sure that CN matches the name of the web server you're certifying (for example, www.kingwoodcable.net). Note that the private key (server.key) is created unencrypted and with no password, so you must take adequate measures to protect it (such as chown root and chmod 0400). You can choose to create encrypted private key by adding -des3 to the command line, but then you need to enter the passphrase each time Apache is started, so unattended restarts of the server become impossible. There are workarounds to this, but TTBOMK they involve storing the password in some file on server in plain text, and so they are not much more secure than using the unencrypted key file. 3. Using CA created in step 1, sign the CSR sign.sh /usr/local/etc/apache/ssl.key/server.csr This creates the server.crt file, which I placed in /usr/local/etc/apache/ssl.crt. The file sign.sh can be obtained from mod_ssl source package. In my case, I put it in the same directory with my CA files (/usr/local/ca) and it Just Worked(tm). 4. Configure your Apache to use the generated server.crt and server.key. This is beyond the scope of this e-mail and is left as an excercise to the reader :-) -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * Cannibal's recipe book: How to Serve Your Fellow Man. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211201455.gAKEtsO29534>