{"id":2621,"date":"2011-06-30T17:44:04","date_gmt":"2011-06-30T22:44:04","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=2621"},"modified":"2011-06-30T17:44:04","modified_gmt":"2011-06-30T22:44:04","slug":"setup-ssl-support-for-apache-2","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=2621","title":{"rendered":"Setup SSL Support for Apache 2"},"content":{"rendered":"

Install Apache 2<\/h2><\/span>\n

* Make sure you install Apache 2 with SSL support. For an example of installation on Windows platform, see this post<\/a>.<\/p>\n

Enable mod_ssl<\/h2><\/span>\n

* Open Apache2\/conf\/httpd.conf file
\n* Uncomment the following line:<\/p>\n

\r\nLoadModule ssl_module modules\/mod_ssl.so\r\n<\/pre>\n
Generate Server Key and Signed Certificate<\/h2><\/span>\n
* See this post<\/a> for an example on how to setup CA with OpenSSL.
\n* Generate server key and a certificate signing request (CSR)<\/p>\n
\r\nC:\\OpenSSL\\exampleca>set OPENSSL_CONF=C:\\OpenSSL\\exampleca\\openssl.conf\r\n\r\nC:\\OpenSSL\\exampleca>openssl req -newkey rsa:1024 -keyout apache_key.pem -keyform PEM -out apache_req.pem -outform PEM\r\nLoading 'screen' into random state - done\r\nGenerating a 1024 bit RSA private key\r\n..............................++++++\r\n...++++++\r\nwriting new private key to 'apache_key.pem'\r\nEnter PEM pass phrase:\r\nVerifying - Enter PEM pass phrase:\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\ncommonName, e.g. www.exampleca.com [Example CA]:www.my.com\r\nstateOrProvinceName, e.g. Virginia [Virginia]:\r\ncountryName, e.g. US [US]:\r\nemailAddress, e.g ca@exampleca.com [ca@exampleca.com]:me@my.com\r\norganizationName, e.g. Example CA [Example CA]:My Company\r\n<\/pre>\n
* Sign the CSR<\/p>\n
\r\nC:\\OpenSSL\\exampleca>openssl ca -in apache_req.pem\r\nUsing configuration from C:\\OpenSSL\\exampleca\\openssl.conf\r\nLoading 'screen' into random state - done\r\nEnter pass phrase for C:\/OpenSSL\/exampleca\/private\/cakey.pem:\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncommonName            :PRINTABLE:'www.my.com'\r\nstateOrProvinceName   :PRINTABLE:'Virginia'\r\ncountryName           :PRINTABLE:'US'\r\nemailAddress          :IA5STRING:'me@my.com'\r\norganizationName      :PRINTABLE:'My Company'\r\nCertificate is to be certified until Jun 26 18:00:25 2012 GMT (365 days)\r\nSign the certificate? [y\/n]:y\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number: 2 (0x2)\r\n        Signature Algorithm: md5WithRSAEncryption\r\n        Issuer: CN=Example CA, ST=Virginia, C=US\/emailAddress=ca@exampleca.com, O=Example C\r\n        Validity\r\n            Not Before: Jun 27 18:00:25 2011 GMT\r\n            Not After : Jun 26 18:00:25 2012 GMT\r\n        Subject: CN=www.my.com, ST=Virginia, C=US\/emailAddress=me@my.com, O=My Company\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (1024 bit)\r\n                Modulus:\r\n                    00:a9:0d:38:98:d6:95:33:a0:14:ce:a8:1f:f7:ac:\r\n                    d4:83:44:1c:89:bf:61:2b:08:6d:fe:7f:e3:b1:82:\r\n                    12:80:a2:24:84:e6:21:6f:59:71:ff:49:dd:27:30:\r\n                    ac:d8:9a:5d:56:d9:68:f4:ad:e1:05:00:a5:c9:a4:\r\n                    9e:f1:0f:aa:07:b8:a6:20:87:d5:cd:ad:ba:4a:a9:\r\n                    6e:99:7a:a5:63:85:cd:20:c8:d1:14:64:d1:2b:2d:\r\n                    27:d3:5f:ee:94:27:26:b4:ef:01:28:9b:52:36:11:\r\n                    a7:62:4d:7b:b1:8e:41:14:2f:8e:ee:88:d2:2c:04:\r\n                    6c:87:4d:94:a8:58:ee:a4:6b\r\n                Exponent: 65537 (0x10001)\r\n        X509v3 extensions:\r\n            X509v3 Basic Constraints:\r\n                CA:FALSE\r\n    Signature Algorithm: md5WithRSAEncryption\r\n        a2:f5:29:c1:30:f6:0a:9f:6d:f6:56:ea:12:3c:1d:e5:4a:d5:\r\n        46:7d:dd:4f:c6:ea:5b:70:c5:2d:d2:8b:cd:72:ad:e9:b3:01:\r\n        83:3c:93:a5:4d:95:89:64:f4:7a:56:61:f6:4f:bc:f7:74:1b:\r\n        1b:60:f0:26:43:a3:4e:ad:03:37:91:1b:b5:fe:3f:81:97:0f:\r\n        f5:ba:92:3c:b8:86:41:37:c8:42:53:73:3d:00:40:10:2a:0f:\r\n        be:78:af:53:3a:9a:7b:44:cf:45:80:53:26:3d:2b:dc:a7:40:\r\n        24:2a:f6:bf:52:ba:9a:33:0a:8c:75:bc:22:79:78:c8:66:39:\r\n        c4:3e:02:50:1b:f6:d1:b2:9c:5b:6b:72:3c:ae:97:36:a8:e8:\r\n        0f:55:7d:35:10:7d:2c:83:ac:f9:6f:4b:a3:b2:56:c2:49:f3:\r\n        d8:76:06:d9:0a:b6:07:ad:98:38:9e:bc:78:5a:36:b7:8f:82:\r\n        6e:ef:6c:08:da:23:a6:20:09:de:35:08:65:47:2b:ce:cb:f7:\r\n        4e:c8:b8:13:07:59:67:ae:1b:b9:e4:e7:aa:3d:b8:be:0d:8b:\r\n        d1:be:ef:23:db:7d:31:92:94:2e:18:50:fd:2f:3a:65:0b:03:\r\n        b7:70:cc:f5:56:0d:bb:c7:e4:a7:12:2a:dc:3c:8f:92:ae:df:\r\n        4f:5f:d2:61\r\n-----BEGIN CERTIFICATE-----\r\nMIIC0zCCAbugAwIBAgIBAjANBgkqhkiG9w0BAQQFADBrMRMwEQYDVQQDEwpFeGFt\r\ncGxlIENBMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG\r\n9w0BCQEWEGNhQGV4YW1wbGVjYS5jb20xEzARBgNVBAoTCkV4YW1wbGUgQ0EwHhcN\r\nMTEwNjI3MTgwMDI1WhcNMTIwNjI2MTgwMDI1WjBkMRMwEQYDVQQDEwp3d3cubXku\r\nY29tMREwDwYDVQQIEwhWaXJnaW5pYTELMAkGA1UEBhMCVVMxGDAWBgkqhkiG9w0B\r\nCQEWCW1lQG15LmNvbTETMBEGA1UEChMKTXkgQ29tcGFueTCBnzANBgkqhkiG9w0B\r\nAQEFAAOBjQAwgYkCgYEAqQ04mNaVM6AUzqgf96zUg0Qcib9hKwht\/n\/jsYISgKIk\r\nhOYhb1lx\/0ndJzCs2JpdVtlo9K3hBQClyaSe8Q+qB7imIIfVza26SqlumXqlY4XN\r\nIMjRFGTRKy0n01\/ulCcmtO8BKJtSNhGnYk17sY5BFC+O7ojSLARsh02UqFjupGsC\r\nAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAovUpwTD2Cp9t\r\n9lbqEjwd5UrVRn3dT8bqW3DFLdKLzXKt6bMBgzyTpU2ViWT0elZh9k+893QbG2Dw\r\nJkOjTq0DN5Ebtf4\/gZcP9bqSPLiGQTfIQlNzPQBAECoPvnivUzqae0TPRYBTJj0r\r\n3KdAJCr2v1K6mjMKjHW8Inl4yGY5xD4CUBv20bKcW2tyPK6XNqjoD1V9NRB9LIOs\r\n+W9Lo7JWwknz2HYG2Qq2B62YOJ68eFo2t4+Cbu9sCNojpiAJ3jUIZUcrzsv3Tsi4\r\nEwdZZ64bueTnqj24vg2L0b7vI9t9MZKULhhQ\/S86ZQsDt3DM9VYNu8fkpxIq3DyP\r\nkq7fT1\/SYQ==\r\n-----END CERTIFICATE-----\r\nData Base Updated\r\n<\/pre>\n
* Rename signed certificate<\/p>\n
\r\nC:\\OpenSSL\\exampleca>cd certs\r\n\r\nC:\\OpenSSL\\exampleca\\certs>dir\r\n Directory of C:\\OpenSSL\\exampleca\\certs\r\n\r\n06\/27\/2011  02:00 PM             3,267 02.pem\r\n\r\nC:\\OpenSSL\\exampleca\\certs>rename 02.pem apache_cert.pem\r\n\r\nC:\\OpenSSL\\exampleca\\certs>dir\r\n Directory of C:\\OpenSSL\\exampleca\\certs\r\n\r\n06\/27\/2011  02:00 PM             3,267 apache_cert.pem\r\n\r\nC:\\OpenSSL\\exampleca\\certs>cd ..\r\n\r\nC:\\OpenSSL\\exampleca>\r\n<\/pre>\n
* Remove pass phrase from server key<\/p>\n
\r\nC:\\OpenSSL\\exampleca>openssl rsa -in apache_key.pem -out apache_key_nopass.pem\r\nEnter pass phrase for apache_key.pem:\r\nwriting RSA key\r\n\r\n\r\nC:\\OpenSSL\\exampleca>dir apache_*.pem\r\n Directory of C:\\OpenSSL\\exampleca\r\n\r\n06\/27\/2011  01:58 PM             1,041 apache_key.pem\r\n06\/27\/2011  02:16 PM               887 apache_key_nopass.pem\r\n06\/27\/2011  01:58 PM               647 apache_req.pem\r\n<\/pre>\n
* Copy server key (apache_key_nopass.pem) and certificate files (apache_cert.pem) to Apache 2 conf directory<\/p>\n
\r\nC:\\OpenSSL\\exampleca>copy apache_key_nopass.pem C:\\prog\\Apache2.2\\conf\r\n        1 file(s) copied.\r\n\r\nC:\\OpenSSL\\exampleca>copy certs\\apache_cert.pem C:\\prog\\Apache2.2\\conf\r\n        1 file(s) copied.\r\n\r\nC:\\OpenSSL\\exampleca>dir C:\\prog\\Apache2.2\\conf\\apache_*.pem\r\n Directory of C:\\prog\\Apache2.2\\conf\r\n\r\n06\/27\/2011  02:00 PM             3,267 apache_cert.pem\r\n06\/27\/2011  02:16 PM               887 apache_key_nopass.pem\r\n<\/pre>\n
Setup a virutal host to accept HTTPS request<\/h2><\/span>\n
* Create a new directory named vhosts within the conf directory. The advantage of creating a separate vhosts directory is that all files within that directory can be included in httpd.conf by a single Include directive<\/p>\n
\r\nInclude conf\/vhosts\/*.conf\r\n<\/pre>\n
* Create a new text file named ssl.conf in the newly created vhosts directory with the following content:<\/p>\n
\r\nListen 443\r\n\r\n  SSLEngine on\r\n  SSLCertificateFile conf\/apache_cert.pem\r\n  SSLCertificateKeyFile conf\/apache_key_nopass.pem\r\n<\/VirtualHost>\r\n<\/pre>\n
* Include the newly created ssl.conf in the main httpd.conf file by append the following line to httpd.conf file:<\/p>\n
\r\nInclude conf\/vhosts\/ssl.conf\r\n<\/pre>\n
* Restart Apache 2<\/p>\n
Test HTTPS Connection<\/h2><\/span>\n
Import CA certificate into Firefox browser<\/h3><\/span>\n
* Start Firefox
\n* Go to Tools -> Options -> Advanced -> Encryption -> View Certificates -> Authorities -> Import
\n* Browse to C:\\OpenSSL\\exampleca\\cacert.pem and click Open on Select File dialog
\n* Check Trust this CA to identify web sites and click OK on Downloading Certificate dialog
\n* Click OK on Certificate Manager
\n* Click OK on Options dialog<\/p>\n
Test HTTPS<\/h3><\/span>\n
* Point browser to https:\/\/www.my.com
\n* You should see the following message<\/p>\n
\r\nIt works!\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Install Apache 2 * Make sure you install Apache 2 with SSL support. For an example of installation on Windows platform, see this post. Enable mod_ssl * Open Apache2\/conf\/httpd.conf file * Uncomment the following line: LoadModule ssl_module modules\/mod_ssl.so Generate Server … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[21,55],"tags":[],"class_list":["post-2621","post","type-post","status-publish","format-standard","hentry","category-apache","category-ssl"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-Gh","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2621"}],"version-history":[{"count":8,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2621\/revisions"}],"predecessor-version":[{"id":2675,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2621\/revisions\/2675"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}