It is assumed Apache is installed and compiled with SSL (recompile with --enable-ssl and --enable-setenvif).
First we need to generate a Certificate Signing Request, this is then sent to the SSL provider who return a certificate. It's also possible to use the signing request in your own self-signed certificate:
openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
This should give example.com.key which is a private key and example.com.csr, our signing request. You must set this up with your provider and they should return you a certificate, which you can paste into a new file called example.com.cert. They should also send you a CA (certificate authority certificate) file, called example.com.ca in this article.
To verify your certificate, key and CA file all work together we run a few commands, first to check the CA file:
openssl verify -CAfile example.com.ca -purpose sslserver example.com.cert
Next, check the certificate corresponds to our private key, the output from each of the following should be the identical:
openssl x509 -noout -modulus -in example.com.cert | openssl sha1 openssl rsa -noout -modulus -in example.com.key | openssl sha1
Now we have our certificate and private key we can begin setting up Apache for SSL. A few things to add somewhere in httpd.conf (snippets are from extra/httpd-ssl.conf when building Apache):
#listen on port 433 (https) Listen 443 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is an internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin
Now Apache's main configuration is complete, we just need a new VirtualHost to deal with the directories/certificate itself (example from our afterburst.com configurations):
<VirtualHost *:443> DocumentRoot "/web/www/afterburst.com/client.afterburst.com" ServerAlias afterburst.com #enable ssl SSLEngine on #certificate SSLCertificateFile "/web/ssl/afterburst.com/cert" #private key SSLCertificateKeyFile "/web/ssl/afterburst.com/key" #ca certificate #SSLCertificateChainFile "/web/ssl/afterburst.com/ca" </VirtualHost>