Stack Setup

Apache SSL

It is assumed Apache is installed and compiled with SSL (recompile with --enable-ssl and --enable-setenvif).

First we need to generate a Certificate Signing Request, this is then sent to the SSL provider who return a certificate. It's also possible to use the signing request in your own self-signed certificate:

openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout -out

This should give which is a private key and, our signing request. You must set this up with your provider and they should return you a certificate, which you can paste into a new file called They should also send you a CA (certificate authority certificate) file, called in this article.

To verify your certificate, key and CA file all work together we run a few commands, first to check the CA file:
openssl verify -CAfile -purpose sslserver

Next, check the certificate corresponds to our private key, the output from each of the following should be the identical:

openssl x509 -noout -modulus -in | openssl sha1
openssl rsa -noout -modulus -in | openssl sha1

Now we have our certificate and private key we can begin setting up Apache for SSL. A few things to add somewhere in httpd.conf (snippets are from extra/httpd-ssl.conf when building Apache):

#listen on port 433 (https)
Listen 443
#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is an internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

Now Apache's main configuration is complete, we just need a new VirtualHost to deal with the directories/certificate itself (example from our configurations):

<VirtualHost *:443>
    DocumentRoot "/web/www/"

    #enable ssl
    SSLEngine on

    SSLCertificateFile "/web/ssl/"

    #private key
    SSLCertificateKeyFile "/web/ssl/"

    #ca certificate
    #SSLCertificateChainFile "/web/ssl/"