hello all. i am trying to configure/start SSL on my apache 2.0 webserver. however, every how-to i have read in the last two weeks tells me something completely different. i would love if someone had a simple, step by step on how to create my public/private keys and a certificate. this is only for a school project, so i want to self-sign the cert. any help on the following would be greatly appreciated:

1. which directory do i run the commands i find here from?

2. how do i test it once it's secure?

thanks!

joe somewhat-newbie

I wrote this howto, it may help:
http://rimuhosting.com/support/micro....jsp?t=ssl#ssl

thx for your response, but that is clear as mud ;-) !! it's probably me just being thickheaded, but these are the things i'm trying to understand:

1. creating a private key
2. creating a certificate
3. creating a certificate request
4. self-signing the request
5. what directories should the above reside in?
6. do i need to modify the configuration files?
7. how can i test to see if it works?

thanks for your patience!

joe

Which distro are you using ?

The info listed by your username in your post suggests you are using slackware 9.0. My (old) slackware 9.0 ISOs have apache 1.3.something and my slackware 9.1 iso's have apache 1.3.28, so arte you really running apache 2.0 .....

I have pc's here running mandrake 9.2 download edition and fedora core 1, both of which have apache 2.0, so I can probably help you out

The key to what you want to do in slackware lies in the mod_ssl package that comes with the 'n' series. Inside there are all the docs you ever need to see, they go into /var/www/htdocs/manual/mod/mod_ssl and more useful still is the setup file that goes in /var/log/setup/apache/mod_ssl

The best overall guide to setting up the keys and so on that I ever found was the mod-ssl site itself www.modssl.org/docs/2.8 but again this talks about ssl for apache 1.3.29, not apache 2.0

There are ways to set up mandrake and fedora, which I can talk you through is that's the distro's you need. I don't want to be accused of trumpetblowing, but if you want proof that you can set up your own ssl certificate, point a browser at https://velvetwood.co.uk

I've had a lot of help from various people on this site, so if there's anything I can do to repay that, so to speak, just ask

I am trying to set up mos_ssl and apache2 on a Mandrake 9.2 box... Want to help me out??

~Jake

Be glad to help if I can. The stuff in here should get you up and running, but you will soon be asking "WHY" is the setup configured this way and for that, grasshopper, you need a linux guru whose knowledge is such that I am (currently) unworthy to tie their shoelaces.

Can I assume before we start that you have done the mandrake install and you have a machine up and running with at least enough of a network to be able to ping 'localhost' or 'localhost.localdomain' from a gnome-terminal window or similar, even if you are not physically connected to the 'net. (If not there's a bit of groundwork needed!)

OK then, my machine here is inside a firewall so you won't be able to see it yourself, but it's IP address on my internal network is 192.168.0.7 and its hostname is ace.velvetwood.co.uk. I have done a pretty standard mandrake linux 9.2 download edition install, except that I chose the 'select individual package' option during the install process and I opted to add the apache2-mod-php items along with apache2-mod-ssl (which I think was already preselected) under the Server => Web/Ftp menu item during the install process.

My main http configuration files are under /etc/httpd/2.0/conf but I don't think I have edited ANYTHING in that directory yet.

The webserver files themselves are in the /var/www heirarchy with the main file appearing to be the index.shtml file in /var/www/html.

With the installation finished and the machine rebooted, I was pleased to see the Mandrake Control Centre (Configuration -> Configure Your Computer) come up. From there under "Network And Internet" the "Drakconnect" icon allowed me to check that my machine was configured the way I wanted it. In the "System" window the "DrakServices" icon showed me that the httpd service was running. Excellent !

Among the applets / icons on the bottom of the screen, there was one called 'galeon' which brought up the galeon browser. By default this opens a "file:///" destination but it was easily persuaded to open http://ace.velvetwood.co.uk (the non-secure welcome page), which of course you won't be able to see as it's inside my firewall

So far, so good.

By now I'd already read a lot about ssl from the mod-ssl webpages and google searching, so I had an inkling of what to look for, but mandrake didn't make it easy to find. Eventually I tracked down a directory /etc/ssl which had two subdirectories "apache" and "webmin"

The apache subdirectory had a README file that told me to run a shell script to create my own certificates. Sounded fine to me but before I did so, I tried a few tests.

I went back to the galeon browser and tried to open "https://ace.velvetwood.co.uk", in other words, to see whether anything was already there. I quickly saw an alert message telling me the ssl certificate for this site was issued by "localhost.gobbledegook". Interesting, I thought. Do you get the same message ? If so. you're quids in. if not, you've got some work to do to get there.

With this already set up, I opened a gnome-terminal window, "su'd" to root, and went to the /etc/ssl/apache directory. In there I renamed the server.key and server.crt files found there to something like server.snakeoil.key and server.snakeoil.crt respectively (a naming convention I once saw in a slackware build).

Then whilst still logged in as root I ran the shell script referred to in the readme from the /etc/ssl/apache subdirectory.

I was asked a load of questions and presto a new server.key and server.crt were created.

Using the Mandrake Control Centre DrakServices utility I stopped and restarted the httpd server and with trepidation tried to open "https://ace.velvetwood.co.uk" in a new browser. An alert window just like the last told me to examine the certificate, which was now issued by 'ace.velvetwood.co.uk' and sure enough all the stuff I'd entered in the script was there.

I accepted the certificate and there was my welcome screen, bit with the padlock icon. Yippee !

Two "words of warning".

First, the shell script does not set a pass phrase for the server key. If you read the mod-ssl website documentation, it will explain why this may not be a good idea. The reason is that the Mandrake Control Centre (and for that matter the fedora equivalent) seem unable to handle the processing of a request for a pass phrase and will return an error message. Workrounds for this are documented in this site and others.

Second, you can install this certificate in a galeon/mozilla/netscape browser and it will use it again without complaint if you rewturn to the site in a new window on another occasion. However, Internet Explorer / Windoze will not. No matter how many times you tell Internet Explorer to install the certificate in the "Trusted Root Certificate Authorities" store, it won't, it will put it in the "Intermediate Authorities" store and you'll get a complaint every time.

In stark contrast, my server https://velvetwood.co.uk used to run redhat 9 and currently runs fedora core 1. The self-signed ssl certificate on THAT machine, created by a "make testcert" command, CAN be put in the root certificate store in Windoze IE6.

I am currently trying to understand why this happens. When I do I guess it will be time for me to apply for the next level of "linux guruness" !

I hope this helps you get a system working

Wow... quite thorough... I got everything working... as you can see here: https://merg.umassd.edu I also run into the certificate not storing itself. I believe that this is because it is not "SIGNED" by a CA, and even though I tried to self Sign them, (as you are supposed to be able to) i still have problems. But, I believe, the fact that the certificate window is poping up, will now allow me to begin to use ssl for authentication. THANKS for your help!!

~Jake

Thank You but I'm only really summarising what others have already documented in various places, and then adding my personal experiences with my own system(s).

I am now trying to get to the bottom of three separate "quirky" behaviour issues between linux mozilla / galeon and windows internet explorer. All three quirks begin in the same way; all the browsers raise an alert on the first visit to the site in question, mozilla /galeon asks if you want to accept the certificate 'warts and all' and will make subsequent visits to the site without further complaint, whereas windows IE whines on every visit. If you use the 'examine certificate' option and probe the details you will see one of three things.

1) A complaint that the certificate cannot be validated because a valid certificate revocation list cannot be found (seen in slackware 9.1 after following mod-ssl website instructions)

2) A complaint that the certificate cannot be validated because the CA cert used to sign it cannot be identified / trusted (seen in slackware 9.1 after using the slackware-supplied ssl setup script)

I am fairly convinced that these both boil down to a failure on my part to make some necessary change in the apache config files but I have not had enough free time to pursue this.

3) This wierd difference between mandrake and redhat/fedora where mandrake's cert will NOT be put in the Trusted Root Store no matter what you try, but redhat/fedora's CAN be.

I have also experiences all of these issues, using Mandrake 9.2... I wouldnt know where to start to boil them down tho... :-/