Apache 2 SSL

Posted on September 16, 2009 by Jianming Li

Prepare Server Key

* See this post for details on how to setup a Certificate Authority (CA) using OpenSSL.
* Sample session
– commands

# Generate a new server key and cert signing request (CSR) in PEM format
openssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform PEM
 
# View CSR content
openssl req -in apachecsr.pem -text -noout
 
# Sign CSR
openssl ca -in apachecsr.pem
 
# Remove passphrase
openssl rsa -in apachekey.pem -out apachekey_nopass.pem

– outputs

C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform P
EM
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............................++++++
....++++++
writing new private key to 'apachekey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Example CA []:sp.example.org
Virginia []:Virginia
US []:US
ca@exampleca.com []:
Root Certification Authority []:example.orgproblems making Certificate Request
^C
C:\OpenSSL\exampleca>openssl req -newkey rsa:1024 -keyout apachekey.pem -keyform PEM -out apachecsr.pem -outform P
EM
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.................................................................................++++++
........++++++
writing new private key to 'apachekey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Example CA []:sp.example.org
Virginia []:Virginia
US []:US
ca@exampleca.com []:ca@example.org
Root Certification Authority []:example.org
 
C:\OpenSSL\exampleca>openssl req -in apachecsr.pem -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=sp.example.org, ST=Virginia, C=US/emailAddress=ca@example.org, O=example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c6:ce:2d:13:c8:f7:31:05:14:ad:34:ec:24:4c:
                    c7:19:9f:07:00:d1:a0:35:b9:89:a5:7e:83:67:2f:
                    dc:25:ac:67:ee:4c:5e:85:16:42:55:9a:cc:84:ef:
                    55:8e:3b:10:a4:46:64:8d:5d:e7:ff:27:c9:52:fa:
                    2e:fc:42:3e:b1:f8:26:5e:59:34:5a:bb:8d:2a:47:
                    7b:c0:6b:ec:02:8b:7e:82:aa:a8:03:d0:ac:15:56:
                    4c:6c:89:d0:b0:d9:b0:6e:39:94:ac:7c:ab:35:73:
                    3c:81:60:55:2c:49:4e:43:a6:33:af:83:8e:a1:0f:
                    a5:47:47:3b:31:08:14:12:b5
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: md5WithRSAEncryption
        77:bb:2f:b2:be:01:dd:cc:5b:c9:78:fb:f1:12:69:69:40:99:
        3d:91:91:a0:f2:23:35:3e:67:c0:1c:5e:c1:63:25:f0:25:85:
        8d:9c:47:39:d7:80:56:14:b8:9d:79:73:46:26:19:44:49:a2:
        4c:c9:50:75:95:4b:dc:bc:8a:2c:66:f0:3f:a4:22:26:32:11:
        63:2d:ec:9a:f4:97:fb:c2:c6:43:97:10:07:ed:1e:39:d0:22:
        45:33:c3:1a:9b:b1:6c:d9:26:46:6d:f6:55:b1:b1:6a:54:27:
        01:73:b4:d8:c2:e0:43:90:6e:ea:80:34:48:0e:85:4d:a2:ca:
        ee:97
 
C:\OpenSSL\exampleca>openssl ca -in apachecsr.pem
Using configuration from C:\OpenSSL\exampleca\openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for C:/OpenSSL/exampleca/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'sp.example.org'
stateOrProvinceName   :PRINTABLE:'Virginia'
countryName           :PRINTABLE:'US'
emailAddress          :IA5STRING:'ca@example.org'
organizationName      :PRINTABLE:'example.org'
Certificate is to be certified until May 15 15:04:00 2012 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Example CA, ST=Virginia, C=US/emailAddress=ca@exampleca.com, O=Root Certification Authority
        Validity
            Not Before: May 16 15:04:00 2011 GMT
            Not After : May 15 15:04:00 2012 GMT
        Subject: CN=sp.example.org, ST=Virginia, C=US/emailAddress=ca@example.org, O=example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c6:ce:2d:13:c8:f7:31:05:14:ad:34:ec:24:4c:
                    c7:19:9f:07:00:d1:a0:35:b9:89:a5:7e:83:67:2f:
                    dc:25:ac:67:ee:4c:5e:85:16:42:55:9a:cc:84:ef:
                    55:8e:3b:10:a4:46:64:8d:5d:e7:ff:27:c9:52:fa:
                    2e:fc:42:3e:b1:f8:26:5e:59:34:5a:bb:8d:2a:47:
                    7b:c0:6b:ec:02:8b:7e:82:aa:a8:03:d0:ac:15:56:
                    4c:6c:89:d0:b0:d9:b0:6e:39:94:ac:7c:ab:35:73:
                    3c:81:60:55:2c:49:4e:43:a6:33:af:83:8e:a1:0f:
                    a5:47:47:3b:31:08:14:12:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        97:13:b4:17:f1:d6:e5:29:8e:70:60:f8:b2:93:97:7e:ad:f6:
        47:f4:16:07:d8:0c:48:62:55:d3:91:f9:ac:61:83:ec:c9:04:
        a9:a1:56:09:5d:77:1a:e0:dc:1e:c1:d6:23:4c:84:e6:ac:2f:
        53:99:7c:dc:c8:9f:22:8b:89:fb:ec:ed:6a:67:20:b2:8d:2d:
        63:c1:bd:88:23:28:84:22:16:95:8a:78:a4:47:52:ac:34:0f:
        0f:51:68:2d:4e:7a:fa:ab:52:31:ac:df:c0:fd:c6:c0:2f:cf:
        9a:e3:5d:92:4c:7c:a2:14:28:aa:b5:b0:cb:7f:e1:4a:30:ad:
        1a:2e:56:c9:eb:1e:b9:fb:be:39:16:4f:14:46:77:24:fe:74:
        89:b2:b8:bc:38:71:e3:da:90:64:26:4f:49:fe:87:10:45:f8:
        cb:e9:91:c5:6b:9d:ff:50:05:d7:d6:81:3c:6b:f1:07:e6:3c:
        02:13:7e:81:0f:22:04:b6:d0:58:02:70:d0:44:c3:f0:f1:c9:
        27:ce:0f:4c:c8:ec:f3:b4:02:a0:55:17:a3:33:64:2b:ba:56:
        b7:da:23:6e:73:ab:fd:d5:9f:6e:68:e5:cd:da:fb:76:e7:6c:
        59:ef:87:c4:89:b1:9e:ab:c5:31:25:70:b1:b8:1d:d0:3b:ec:
        90:e5:59:c0
-----BEGIN CERTIFICATE-----
MIIC7zCCAdegAwIBAgIBAjANBgkqhkiG9w0BAQQFADB9MRMwEQYDVQQDEwpFeGFt
cGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG
9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xJTAjBgNVBAoTHFJvb3QgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMTEwNTE2MTUwNDAwWhcNMTIwNTE1MTUwNDAwWjBu
MRcwFQYDVQQDEw5zcC5leGFtcGxlLm9yZzERMA8GA1UECBMIVmlyZ2luaWExCzAJ
BgNVBAYTAlVTMR0wGwYJKoZIhvcNAQkBFg5jYUBleGFtcGxlLm9yZzEUMBIGA1UE
ChMLZXhhbXBsZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMbOLRPI
9zEFFK007CRMxxmfBwDRoDW5iaV+g2cv3CWsZ+5MXoUWQlWazITvVY47EKRGZI1d
5/8nyVL6LvxCPrH4Jl5ZNFq7jSpHe8Br7AKLfoKqqAPQrBVWTGyJ0LDZsG45lKx8
qzVzPIFgVSxJTkOmM6+DjqEPpUdHOzEIFBK1AgMBAAGjDTALMAkGA1UdEwQCMAAw
DQYJKoZIhvcNAQEEBQADggEBAJcTtBfx1uUpjnBg+LKTl36t9kf0FgfYDEhiVdOR
+axhg+zJBKmhVglddxrg3B7B1iNMhOasL1OZfNzInyKLifvs7WpnILKNLWPBvYgj
KIQiFpWKeKRHUqw0Dw9RaC1OevqrUjGs38D9xsAvz5rjXZJMfKIUKKq1sMt/4Uow
rRouVsnrHrn7vjkWTxRGdyT+dImyuLw4cePakGQmT0n+hxBF+MvpkcVrnf9QBdfW
gTxr8QfmPAITfoEPIgS20FgCcNBEw/DxySfOD0zI7PO0AqBVF6MzZCu6VrfaI25z
q/3Vn25o5c3a+3bnbFnvh8SJsZ6rxTElcLG4HdA77JDlWcA=
-----END CERTIFICATE-----
Data Base Updated
 
C:\OpenSSL\exampleca>openssl rsa -in apachekey.pem -out apachekey_nopass.pem
Enter pass phrase for apachekey.pem:
writing RSA key

– files generated

# server key with pass phrase
C:\OpenSSL\exampleca\apachekey.pem

# server key without pass phrase
C:\OpenSSL\exampleca\apachekey_nopass.pem

# signing request
C:\OpenSSL\exampleca\apachecsr.pem

# pub cert
C:\OpenSSL\exampleca\certs\02.pem

Setup Apache 2 SSL

httpd.conf

 
LoadModule ssl_module modules/mod_ssl.so
 
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
</IfModule>
 
Listen 443 
<VirtualHost _default_:443>
  ServerName sp.example.org
  SSLEngine on
  SSLCertificateFile C:/OpenSSL/exampleca/certs/02.pem
  SSLCertificateKeyFile C:/OpenSSL/exampleca/apachekey_nopass.pem
</VirtualHost>

[error] Init: SSLPassPhraseDialog builtin is not supported on Win32

Cause

* Server private key is protected by passphrase.

Resolution

* Remove passphrase from server private key.

openssl rsa -in server_key_with_passphrase.pem -out server_key_without_passphrase.pem

* Comments out SSLPassPhraseDialog directive if it is found in httpd.conf.

References

* http://slacksite.com/apache/certificate.php

This entry was posted in apache, ssl. Bookmark the permalink.