From owner-freebsd-questions Wed Nov 20 6:56:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE8E437B401 for ; Wed, 20 Nov 2002 06:56:10 -0800 (PST) Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE5A943E75 for ; Wed, 20 Nov 2002 06:56:08 -0800 (PST) (envelope-from toomas.aas@raad.tartu.ee) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id gAKEtsO29534; Wed, 20 Nov 2002 16:55:54 +0200 Message-Id: <200211201455.gAKEtsO29534@lv.raad.tartu.ee> Received: from SpoolDir by INFO (Mercury 1.48); 20 Nov 02 16:54:32 +0200 From: "Toomas Aas" Organization: Tartu City Government To: rsclark@kingwoodcable.net, questions@freebsd.org Date: Wed, 20 Nov 2002 16:54:28 +0200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: FreeBSD 4.x and Apache+mod_ssl In-reply-to: <20021120141514.728543500E3@ms1kw.tx.shawcable.net> X-info: Headers changed by Barricade Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! > Thanks for the help, but I am either too sleepy or too slow to make > this work right. You're lucky. I just enabled mod_ssl on one of my Apache servers yesterday, and being fed up of crawling around the documentation each time I needed to do this, I decided to make notes this time. I hope they'll help you. 1. Create your own CA (if unwilling to pay Verisign): Generate private key: openssl genrsa -des3 -out ca.key 1024 Generate the x.509 certificate: openssl req -new -x509 -days 365 -key ca.key -out ca.crt I chose to put the CA files in /usr/local/ca, but this is purely matter of taste. When creating the certificate, make sure that CN (Common name) does *not* match the name of any of the web servers you want to certify. It will cause grief later down the road. 2. Create server's private key and Certificate Signing Request. openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr Apache+mod_ssl seems to place these files in /usr/local/etc/apache/ssl.key, so I decided to keep mine in the same place. When creating the CSR, make sure that CN matches the name of the web server you're certifying (for example, www.kingwoodcable.net). Note that the private key (server.key) is created unencrypted and with no password, so you must take adequate measures to protect it (such as chown root and chmod 0400). You can choose to create encrypted private key by adding -des3 to the command line, but then you need to enter the passphrase each time Apache is started, so unattended restarts of the server become impossible. There are workarounds to this, but TTBOMK they involve storing the password in some file on server in plain text, and so they are not much more secure than using the unencrypted key file. 3. Using CA created in step 1, sign the CSR sign.sh /usr/local/etc/apache/ssl.key/server.csr This creates the server.crt file, which I placed in /usr/local/etc/apache/ssl.crt. The file sign.sh can be obtained from mod_ssl source package. In my case, I put it in the same directory with my CA files (/usr/local/ca) and it Just Worked(tm). 4. Configure your Apache to use the generated server.crt and server.key. This is beyond the scope of this e-mail and is left as an excercise to the reader :-) -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * Cannibal's recipe book: How to Serve Your Fellow Man. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message