Title: mod_ssl (the old way) Subject: Steps to setup mod_ssl from scratch. Note: find and replace "mydomain.com" with your first domain name. second, replace "2nddomain.com" with your second domain. third, replacce "123.456.789.abc" with your IP address. -------------------------------------------------- setup mod_ssl-2.6.4-1.3.12 -------------------------------------------------- I already have a working Apache3.1.11 server, running virtual domains, so I did the following: 1. Backup the httpd.conf cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak 2. make the install dir: tar -xzvpf apache_1.3.12.tar.gz tar -xzvpf mod_ssl-2.6.4-1.3.12.tar.gz tar -xzvpf openssl-0.9.5a.tar.gz mkdir rsaref20 mv rsaref20.tar.Z rsaref20 cd rsaref20/ gunzip -d rsaref20.tar.Z tar -xvpf rsaref20.tar The install directory should look like this. apache_1.3.12/ mod_ssl-2.6.4-1.3.12/ openssl-0.9.5a/ rsaref20/ 3. Build RSAref for your system: cp -rp rsaref20/install/unix rsaref20/local cd rsaref20/local make mv rsaref.a librsaref.a 4. Build OpenSSL cd ../../openssl-0.9.4 sh config -L ../rsaref20/local/ rsaref -fPIC .make make test 5. Build mod_ssl-2.6.4 for apache1.3.12 cd ../mod_ssl-2.6.4-1.3.12 ./configure --prefix=/usr/local/apache --with-apache=../apache_1.3.12 --with-ssl=../openssl-0.9.5a --with-rsa=../rsaref20/local --enable-shared=ssl --enable-rule=SSL_SDBM cd ../apache_1.3.12 make make certificate make install 6. Generate keys: Add openssl to the path: PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin:/usr/local/download/sslapache_stuff/openssl-0.9.5a/apps/ 7. Generate a key: openssl genrsa -out www.2nddomain.com.key 1024 8. Copy openssl.cnf to /usr/local/apache/conf/: cp /usr/local/download/sslapache_stuff/openssl-0.9.5a/apps/openssl.cnf . 9. What was this for? openssl req -x509 -key www.2nddomain.com.key -in www.2nddomain.com.csr -out www.2nddomain.com.crt 10. Test the httpd.conf file ./apachectl configtest Start the Web server ../bin/apachectl stop ../bin/apachectl startssl ../bin/apachectl stop ../bin/apachectl startssl ../bin/apachectl stop ../bin/apachectl start -------------------------------------------------------------- Configureation: -------------------------------------------------------------- ---------------------------------------------------------- from http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 ---------------------------------------------------------- Server is installed, now I need to create a real cert: 1. make sure openssl in your path: PATH=$PATH:/usr/local/ssl/bin/ 2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted) You can choose to make it encrypted or non encrypted (encrypted key needs password to start server) Generate non-encrypted key: #openssl req -new -key server.key -out server.csr --or-- Generate passwd encrypted key: # openssl genrsa -des3 -out server.key 1024 warning, not much extra random data, consider using the -rand option Generating RSA private key, 1024 bit long modulus ................................................................................++++++ .......++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: See the details of the key #openssl rsa -noout -text -in server.key 4. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): # openssl req -new -key server.key -out server.csropenssl req -new -key 2nddomain.com.key -out 2nddomain.com.csr Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Hayward Organization Name (eg, company) [Internet Widgits Pty Ltd]:2nddomain Organizational Unit Name (eg, section) []:web server Common Name (eg, YOUR name) []:www.2nddomain.com Email Address []:john@2nddomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 5. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have to options: 1. send it to a CA for signing: http://digitalid.verisign.com/server/apacheNotice.htm http://www.thawte.com/certs/server/request.html http://www.certisign.com.br http://www.iks-jena.de/produkte/ca/ http://www.uptimecommerce.com http://www.belsign.be 2. Second you can use your own CA and now have to sign the CSR yourself by this CA. Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted) a. #openssl genrsa -des3 -out ca.key 1024 Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): b. #openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Hayward Organization Name (eg, company) [Internet Widgits Pty Ltd]:Web Pages w/ Stile Organizational Unit Name (eg, section) []:web site Common Name (eg, YOUR name) []:www.mydomain.com Email Address []:john@mydomain.com c. #find / -name sign.sh #/sign.sh 2nddomain.com.csr CA signing: 2nddomain.com.csr -> 2nddomain.com.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'Berkeley' organizationName :PRINTABLE:'2nddomain' organizationalUnitName:PRINTABLE:'web server' commonName :PRINTABLE:'www.2nddomain.com' emailAddress :IA5STRING:'john@2nddomain.com' Certificate is to be certified until Jun 9 09:35:09 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: 2nddomain.com.crt <-> CA cert 2nddomain.com.crt: OK ------------------------------------- httpd.conf mod_ifications ------------------------------------- Port 80 Listen 80 Listen 443 LoadModule ssl_module libexec/libssl.so ServerAdmin john@mydomain.com DocumentRoot /www/expFreames ServerName www.mydomain.com ServerAlias mydomain.com ErrorLog /www/logs/mydomain.com-error_log CustomLog /www/logs/mydomain.com-access_log common ServerAdmin john@mydomain.com DocumentRoot /www/2nddomain ServerName www.2nddomain.com ErrorLog /www/logs/2nddomain-error_log CustomLog /www/logs/2nddomain-access_log common ServerAdmin john@mydomain.com DocumentRoot /www/2nddomain ServerName www.2nddomain.com ErrorLog /www/logs/2nddomain-error_log CustomLog /www/logs/2nddomain-access_log common SSLEngine on SSLCertificateFile conf/ssl/2nddomain.com.crt SSLCertificateKeyFile conf/ssl/2nddomain.com.key ================================================================ Off topic, but this is how to setup passwds. -------------------------------------------- Web Access Accounts Creation: 1) Change, add a web access username/passwd with this format: /usr/local/apache/bin/htpasswd -c /usr/local/apache/conf/.htpasswd type the passwd twice cat /usr/local/apache/conf/.htpasswd 2) Copy .htaccess to the new directory you wish to passwd-protect. The file should look like this. AuthUserFile /export/home/jstile/.htpasswd AuthGroupFile /dev/null AuthName "Secret Page" AuthType Basic require valid-user #<-- this can be "user " or "group " 3) Edit the copy of .htacess, and change "ca148a" to the new user name. 4) Test it. ----------------------------------------------------------- Browsing to your site: By clicking, go to http://online.ohlone.cc.ca.us on the right, click on "Instructional Web Sites" click "Computer Studies" click on "gwhite" ------------------------------------------------------------ If you are using SuSE Linux, go to their homepage, they give the solution in the support database: 1) in /etc/rc.config/apache.rc.config, set the variable HTTPD_SEC_MOD_AUTH_NDS=no instead of yes 2) run : SuSEconfig --module apache 3) restart apache with : rcapache restart ------------------------------------------------------------