Generate SSL Certificate for Apache Web Server


(A self-signed certificate in my testing web server)

1. Create a directory, for example, under apache2/conf/
# mkdir certworks
# cd certworks

2. Create a configuration file for generating a certificate
# cat myconfig.file
RANDFILE =./random.txt
[req]
default_bits = 1024
default_keyfile = keyfile.pem
attributes = req_attributes
distinguished_name = ShanJing
prompt = no
output_password = mypassword
[ShanJing]
C = US
ST = CA
L = Arcadia
O = ShanJing
OU = Shan's IT
CN = 192.168.1.104
emailAddress = mail@shanjing.com
[req_attributes]
challengePassword = mypassword


3. Create a private key and a Certificate Signing Request
# openssl req -new -out server.csr -config myconfig.file

Generating a 1024 bit RSA private key
.......++++++
...........++++++
writing new private key to 'keyfile.pem'
-----

# ls -al
total 48
drwxr-xr-x 2 root root 4096 Dec 5 11:35 .
drwxr-xr-x 5 root root 4096 Dec 5 11:29 ..
-rw-r--r-- 1 root root 963 Dec 5 11:35 keyfile.pem
-rw-r--r-- 1 root root 351 Dec 5 11:33 myconfig.file
-rw------- 1 root root 1024 Dec 5 11:35 random.txt
-rw-r--r-- 1 root root 737 Dec 5 11:35 server.csr


4. Remove the Passphrase from the private key so that when apache starts, it won't ask for key's Passphrase
# openssl rsa -in keyfile.pem -out server.key
Enter pass phrase for keyfile.pem:
writing RSA key

5. For test, we just generate a self-signed certificate.
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

Signature ok
subject=/C=US/ST=CA/L=Arcadia/O=ShanJing/OU=Shans IT/CN=192.168.1.104/emailAddress=mail@shanjing.com
Getting Private key


6. Setup mod-ssl in Apache:

Modify the following in conf/extra/httpd-ssl.conf file:

SSLCertificateFile "/usr/local/apache2/conf/certworks/server.crt"

SSLCertificateKeyFile "/usr/local/apache2/conf/certworks/server.key"

Modify httpd.conf and enable/uncomment

Include conf/extra/httpd-ssl.conf


(Note, if mod_ssl is compiled with apache as built-in module, you don't need to put the following line in httpd.conf file:
LoadModule ssl-module modules/mod_ssl.so

To find out if mod_ssl is compiled with apache,

# /usr/local/apache2/bin/apachectl -l | grep mod_ssl
mod_ssl.c

To see currently loaded modules:
[root@ipc4 extra]# /usr/local/apache2/bin/apachectl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
auth_digest_module (static)
include_module (static)
filter_module (static)
deflate_module (static)
log_config_module (static)
env_module (static)
headers_module (static)
setenvif_module (static)
version_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
status_module (static)
autoindex_module (static)
asis_module (static)
cgi_module (static)
negotiation_module (static)
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
jk_module (shared)
Syntax OK

)

Reference: How SSL security works?