Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Nov 2002 16:54:28 +0200
From:      "Toomas Aas" <toomas.aas@raad.tartu.ee>
To:        rsclark@kingwoodcable.net, questions@freebsd.org
Subject:   Re: FreeBSD 4.x and Apache+mod_ssl
Message-ID:  <200211201455.gAKEtsO29534@lv.raad.tartu.ee>
In-Reply-To: <20021120141514.728543500E3@ms1kw.tx.shawcable.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi!

> Thanks for the help, but I am either too sleepy or too slow to make 
> this work right. 

You're lucky. I just enabled mod_ssl on one of my Apache servers 
yesterday, and being fed up of crawling around the documentation each 
time I needed to do this, I decided to make notes this time. I hope 
they'll help you.

1. Create your own CA (if unwilling to pay Verisign):

Generate private key:
openssl genrsa -des3 -out ca.key 1024 

Generate the x.509 certificate:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt 

I chose to put the CA files in /usr/local/ca, but this is purely matter 
of taste.

When creating the certificate, make sure that CN (Common name) does 
*not* match the name of any of the web servers you want to certify. It 
will cause grief later down the road.

2. Create server's private key and Certificate Signing Request.

openssl genrsa -out server.key 1024 
openssl req -new -key server.key -out server.csr

Apache+mod_ssl seems to place these files in 
/usr/local/etc/apache/ssl.key, so I decided to keep mine in the same 
place.

When creating the CSR, make sure that CN matches the name of the web 
server you're certifying (for example, www.kingwoodcable.net).

Note that the private key (server.key) is created unencrypted and with 
no password, so you must take adequate measures to protect it (such as 
chown root and chmod 0400). You can choose to create encrypted private 
key by adding -des3 to the command line, but then you need to enter the 
passphrase each time Apache is started, so unattended restarts of the 
server become impossible. There are workarounds to this, but 
TTBOMK they involve storing the password in some file on server in 
plain text, and so they are not much more secure than using the 
unencrypted key file.

3. Using CA created in step 1, sign the CSR

sign.sh /usr/local/etc/apache/ssl.key/server.csr

This creates the server.crt file, which I placed in 
/usr/local/etc/apache/ssl.crt. The file sign.sh can be obtained from 
mod_ssl source package. In my case, I put it in the same directory with 
my CA files (/usr/local/ca) and it Just Worked(tm).

4. Configure your Apache to use the generated server.crt and 
server.key. This is beyond the scope of this e-mail and is left as an 
excercise to the reader :-)

--
Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/
* Cannibal's recipe book: How to Serve Your Fellow Man.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200211201455.gAKEtsO29534>