Apache2/SSL Certificates

Introduction
SSL - Secure Socket Layer

The HyperText Transport Protocol transfers everything in-the-clear. This means that anyone can see the contents of the data being sent between the server and client and vice versa. This is not necessarily a bad thing as most content being sent back and forth is meant for public viewing anyway. There are, however, some things you want to remain secret, such as credit card numbers and passwords. This is where SSL comes into play.

Before any user data is transmitted to the server, the browser notifies the server what encryption schemes it is capable of handling, and the server will respond with a certificate. This certificate is used to encrypt and decrypt the data that is sent and received on the client end. The certificate acts as a public key. The server has a private key, however, that it uses to both encrypt and decrypt as well. No one will see the private key except the server itself.

A Secure Sockets Layer - SSL Certificate incorporates a digital signature to bind together a public key with an identity. SSL Certificates enable encryption of sensitive information during online transactions, and in the case of organizationally validated Certificates, also serve as an attestation of the Certificate owner’s identity.

Obtaining Your Own Certificate
There are several organizations that offer varying levels of security and browser acceptance for your certificate. They also come in a matching set of fees. Currently, there are only two Root Certificate Authorities (CA) that have free services available: CAcert.org and StartCom. They are not, however, accepted by every browser. Most notably they lack support for Internet Explorer, which is still the most widely used browser.

For Testing
Different parameters can be used to generate your server key. Any of the following commands will give you the server key:

This command displays the details of your private key:

And this command will generate your server certificate using the :

Once this has been done, you may skip down to Configuring Apache.

Generating a CSR
Generating a Certificate Signing Request (CSR) is the first step that needs to be performed before you will be able to get a certificate. OpenSSL is required to perform this step and uses the private key generated in the Testing section above. These are examples of valid commands:

The previous command will initiate a script that will query you for several pieces of information. The following points require special attention: openssl req -nodes -new -keyout server.key -out server.csr
 * The really tricky part that gets most people is the Common Name. That actually wants to know for which domain name you are generating the CSR. If the domain is www.example.com, then enter www.example.com; If it is mail.example.com, then enter mail.example.com; and so on and so forth.
 * If you have several prefixes you would like to have secured, then you will want a Wild Card Certificate (check if your Certification Authority allows wild card certificates). For example, instead of having a certificate for www.example.com and another one for mail.example.com, you could just have a certificate for *.example.com.

Requesting a Certificate
Once you have finished generating a CSR, you will need to submit the content of to a CA. This process varies a little from CA to CA. The best source of information and direction for this step is to get it straight from the horses mouth.

If you are working with limited funds or are looking for something that is free to enable security for a not so critical Web site, such as a family home page, take a look at these two:
 * StartCom StartSSL
 * CACert.org: Limited browser acceptance.

The CA will give you the file or the content for the file. The files and  can be used inside your Apache configuration file:

Configuring Apache
Now that you have your key and certificate, there are a few steps you will need to perform in order to start hosting an SSL enabled Web site.

First, Apache needs to be compiled with the proper USE Flag enabled:

Second, edit so that -D SSL -D SSL_DEFAULT_VHOST appears in the APACHE2_OPTS line.

Third, you need to create an SSL virtual host. The following example well get you started with a basic configuration.

Restart Apache, and you are ready to start hosting a secure Web site.

Troubleshooting

 * If you are using mod_security and you are getting messages like the following in your error log, you should set ServerTokens to Full in