It is assumed Apache is installed and compiled with SSL (recompile with --enable-ssl and --enable-setenvif).
First we need to generate a Certificate Signing Request, this is then sent to the SSL provider who return a certificate. It's also possible to use the signing request in your own self-signed certificate:
openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
This should give example.com.key which is a private key and example.com.csr, our signing request. You must set this up with your provider and they should return you a certificate, which you can paste into a new file called example.com.cert. They should also send you a CA (certificate authority certificate) file, called example.com.ca in this article.
To verify your certificate, key and CA file all work together we run a few commands, first to check the CA file:
openssl verify -CAfile example.com.ca -purpose sslserver example.com.cert
Next, check the certificate corresponds to our private key, the output from each of the following should be the identical:
openssl x509 -noout -modulus -in example.com.cert | openssl sha1
openssl rsa -noout -modulus -in example.com.key | openssl sha1
Now we have our certificate and private key we can begin setting up Apache for SSL. A few things to add somewhere in httpd.conf (snippets are from extra/httpd-ssl.conf when building Apache):
#listen on port 433 (https)
Listen 443
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is an internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
Now Apache's main configuration is complete, we just need a new VirtualHost to deal with the directories/certificate itself (example from our afterburst.com configurations):
<VirtualHost *:443>
DocumentRoot "/web/www/afterburst.com/client.afterburst.com"
ServerAlias afterburst.com
#enable ssl
SSLEngine on
#certificate
SSLCertificateFile "/web/ssl/afterburst.com/cert"
#private key
SSLCertificateKeyFile "/web/ssl/afterburst.com/key"
#ca certificate
#SSLCertificateChainFile "/web/ssl/afterburst.com/ca"
</VirtualHost>
Related:
wwwhttp://onlamp.com/onlamp/2008/[..]sl-under-apache.html