As I did the same exercise a couple of weeks ago, I feel that some info is missing (like the location of keys and certificates). Are you sure that that was all that you did to get it working?
Below the story for a Slackware 10.1 box. It's not said that I did it in a better way, but the instructions might be more complete.
It's based on information in Julie C. Melonie’s book ‘Teach yourself PHP, MySQL and Apache All in One’ (ISBN 0-672-32620-5).
Generating certificate
Step 1 Generate (private) key
Code:
root@btd-techweb01:~# /usr/bin/openssl genrsa -rand /dev/urandom -out btd-techweb01.key 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
..........++++++
e is 65537 (0x10001)
I did not add the option -des3 after genrsa as it will require a password everytime the Apache webserver is restarted. This will prevent automatic restarts (e.g. after power down). Although less secure as the key is not encrypted and a breach in security on the server might reveal the key, this risk is considered acceptable. Just secure the server properly.
Step 2 Generate certificate signing request
Once a key file is generated, a Certificate Signing Request (CSR) can be generated.
Code:
root@btd-techweb01:~# /usr/bin/openssl req -new -key btd-techweb01.key -out btd-techweb01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ZA
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:mycity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompany
Organizational Unit Name (eg, section) []:BTD
Common Name (eg, YOUR name) []:btd-techweb01
Email Address []:wsturkenboom@mycompany.co.za
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:************
An optional company name []:mycompany
Step 3 Signing certificate
The request can now be send to a Certified Authority (CA) to be signed. Examples of CAs are Thawte and Verisign.
As this is a server on the intranet, we will sign it ourselves.
Code:
root@btd-techweb01:~# /usr/bin/openssl x509 -req -days 30 -in btd-techweb01.csr -signkey btd-techweb01.key -out btd-techweb01.cert
Signature ok
subject=/C=ZA/L=mycity/O=mycompany/OU=BTD/CN=btd-techweb01/emailAddress=wsturkenboom@mycompany.co.za
Getting Private key
Configuration
Step 1 Copy files
We now have a certificate. It needs to be copied to the directory /etc/apache/ssl.crt and for security we will make it readable for root only.
Code:
root@btd-techweb01:~# cp btd-techweb01.cert /etc/apache/ssl.crt
root@btd-techweb01:~# chmod 400 /etc/apache/ssl.crt/btd-techweb01.cert
We also need to copy the key to /etc/apache/ssl.key
Code:
root@btd-techweb01:~# cp btd-techweb01.key /etc/apache/ssl.key
To make the story complete, we will copy the csr to /etc/apache/ssl.csr; this step is not necessary.
Code:
root@btd-techweb01:~# cp btd-techweb01.csr /etc/apache/ssl.csr
Step 2 Modify mod_ssl.conf
Code:
#WimS; we have cert extension, not crt
AddType application/x-x509-ca-cert .cert
#AddType application/x-x509-ca-cert .crt
#WimS; our certificate
SSLCertificateFile /etc/apache/ssl.crt/btd-techweb01.cert
#SSLCertificateFile /etc/apache/ssl.crt/server.crt
#WimS; our private key
SSLCertificateKeyFile /etc/apache/ssl.key/btd-techweb01.key
We also have to modify some additional info (like the documentroot as I use a non-standard one).
Code:
# General setup for the virtual host
#WimS; new location
DocumentRoot "/server/www/htdocs/btd/web"
#DocumentRoot "/var/www/htdocs"
#WimS; new server name
ServerName btd-techweb01
#ServerName new.host.name
#WimS
ServerAdmin wsturkenboom@mycompany.co.za
#ServerAdmin you@your.address
As we use the same directories (I did not feel like bothering about it), we will block port 80 as well so no normal http can be done.
Code:
<IfDefine SSL>
#Listen 80
Listen 443
</IfDefine>
So we have a server now that will only accept https requests
Step 3 Modify httpd.conf
Last step before we can restart the server is to modify httpd.conf and include mod_ssl.conf.
Code:
# ==> mod_ssl configuration settings <==
#
# PACKAGES REQUIRED: apache (N series) and openssl (N series)
#
#WimS
Include /etc/apache/mod_ssl.conf
#Include /etc/apache/mod_ssl.conf
Restart httpd with ssl support and test
Apache can be compiled with or without SSL support. In the Slackware 10.1 distro, both versions are available and by default the correct one will be started.
With a default Slackware 10.1 installation, the httpd is started from /etc/rc.d/rc.httpd.
To make sure that it starts with ssl, the start option needs to be modified.
Code:
'start')
# /usr/sbin/apachectl start ;;
/usr/sbin/apachectl startssl ;;
To test, use your favorite browser and call up a page on the server. A popup will appear with info about the certificate.