https gets you:
More details of SSL:
Note also that the willingness of a browser to accept the identity of a server depends on a set of 'root authority certificates' configured into each browser (the common browsers come with such certificates for the common Certificate Authorities). Anyone with access to the set of these certificates used by your browser could, in principle, cause you to accept the identity of a bogus server.
There are two add-ons that give Apache SSL capability: Apache-SSL (http://www.apache-ssl.org/) and mod_ssl (http://www.modssl.org/). RedHat 7 (at least) ships with mod_ssl. That's what I describe below. Both packages provide much the same features, and many of their configuration parameters are the same.
Both use OpenSSL (http://www.openssl.org/) for cryptographic support. OpenSSL derives from the earlier SSLeay by Eric A. Young and Tim J. Hudson, and much documentation still talks about SSLeay.
The openssl command (which does key and certificate manipulation for OpenSSL) has a huge range of options and parameters - the examples given below are not necessarily the only way of doing things.
[root@mnementh certs]# openssl genrsa -des3 -rand \ /var/log/messages:/var/log/messages.0 1024 \ > mnementh.csi.cam.ac.uk.key 157808 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ........++++++ ............................++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:
[root@mnementh certs]# openssl req -new -key mnementh.csi.cam.ac.uk.key \ > mnementh.csi.cam.ac.uk.csr Using configuration from /usr/share/ssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Cambridgeshire Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge Organizational Unit Name (eg, section) []:Computing Service Common Name (eg, your name or your server's hostname) []:mnementh.csi.cam.ac.uk Email Address []:jw35@cam.ac.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@mnementh certs]# cat mnementh.csi.cam.ac.uk.csr -----BEGIN CERTIFICATE REQUEST----- MIIB+TCCAWICAQAwgbgxCzAJBgNVBAYTAkdCMRcwFQYDVQQIEw5DYW1icmlkZ2Vz aGlyZTESMBAGA1UEBxMJQ2FtYnJpZGdlMSAwHgYDVQQKExdVbml2ZXJzaXR5IG9m IENhbWJyaWRnZTEaMBgGA1UECxMRQ29tcHV0aW5nIFNlcnZpY2UxHzAdBgNVBAMT Fm1uZW1lbnRoLmNzaS5jYW0uYWMudWsxHTAbBgkqhkiG9w0BCQEWDmp3MzVAY2Ft LmFjLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfkudk25OzLR9oi/bt Iy9im4R9mKSDlSjry1fvMh/Zyzn936RCTrvYVLE5TmGDsYoBcawW1JlVTfi7vxpi +mPjaRRcRa92gVK+3/4cfIQqJkZTb9CJYK5BQCHc11G1Iv1T0b0rnjy/0h6QQM8O Z6uIkcBqHQJry//GJuOXzafT6wIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAVDF/ GgGME0/1h0q6TM+6ucmulmZGCHwOmKVkcbDF84STox6TRDXzuzEGMXZE83T1RkwI 9UAbNJZOsesIFh1+AgqepBn44vl2+Ww4nVNQwEUp08a/jyahsfuYBQBSL42V9HmL Pmg4c5+mNrdgaROg6/ebJdBURD3DTpAPwSc0Iyg= -----END CERTIFICATE REQUEST-----
Note that the 'Common name' in the certificate must match the host name of your server, otherwise browsers will (justifiably) complain. For a host with several names (www-uxsup.csx.cam.acuk/nymph.csi.cam.ac.uk) it should be whatever is going to appear in the URLs. Some CA's (Thawte are an example) offer 'wildcard' certificates (eg *.cam.ac.uk), but these are not supported by all servers/browsers and are more expensive.
Further, you are likely to have to prove (in some way) to a Certificate Authority that you really are the organization described in the other fields and that the domain name entered in 'Common Name' is registered to you.
[root@mnementh certs]# cat mnementh.csi.cam.ac.uk.cert -----BEGIN CERTIFICATE----- MIIC3zCCAkigAwIBAgIEAJXIWzANBgkqhkiG9w0BAQQFADCBhzELMAkGA1UEBhMC WkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkxHTAbBgNVBAoT FFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRFU1QgVEVTVDEc MBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw0wMTAxMjMxNDUzMzFaFw0w MjAxMjMxNDUzMzFaMIG4MQswCQYDVQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdl c2hpcmUxEjAQBgNVBAcTCUNhbWJyaWRnZTEgMB4GA1UEChMXVW5pdmVyc2l0eSBv ZiBDYW1icmlkZ2UxGjAYBgNVBAsTEUNvbXB1dGluZyBTZXJ2aWNlMR8wHQYDVQQD ExZtbmVtZW50aC5jc2kuY2FtLmFjLnVrMR0wGwYJKoZIhvcNAQkBFg5qdzM1QGNh bS5hYy51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn5LnZNuTsy0faIv2 7SMvYpuEfZikg5Uo68tX7zIf2cs5/d+kQk672FSxOU5hg7GKAXGsFtSZVU34u78a Yvpj42kUXEWvdoFSvt/+HHyEKiZGU2/QiWCuQUAh3NdRtSL9U9G9K548v9IekEDP DmeriJHAah0Ca8v/xibjl82n0+sCAwEAAaMlMCMwEwYDVR0lBAwwCgYIKwYBBQUH AwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQB0ap+gRFVTGZ4GFJtN h4gTUfUeaXJR6XJ9FaoD6XBxK2lY4SW1HtzmJaexgkedM4JfjlHntgQZmSkmPlSP if61XSqV9b82rIZQd3BEtQn0UvymQCHGp7Ae14HF2qqnMLD4Oj0YKsCo1M7faRfB tILNfOv1q3mFmEk7Lb4kaEGQ6A== -----END CERTIFICATE-----
LoadModule ssl_module modules/libssl.so AddModule mod_ssl.c Listen 443 <VirtualHost _default_:443> DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/mnementh.csi.cam.ac.uk.cert SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mnementh.csi.cam.ac.uk.key <Directory "/"> SSLRequireSSL </Directory> </VirtualHost>Restart Apache and away you go.
[root@mnementh certs]# openssl rsa -in mnementh.csi.cam.ac.uk.key \ -out mnementh.csi.cam.ac.uk.key.clear read RSA key Enter PEM pass phrase: writing RSA keyIt appears that the key is read by the server at startup while it is still root, so the key file can and should be protected so that only root can read it.
[root@mnementh certs]# openssl req -new -x509 -days 365 \ -keyout test.key -out test.cert Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ..++++++ ..............................++++++ writing new private key to 'test.key' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Cambridgeshire Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Cambridge Organizational Unit Name (eg, section) []:Computing Service Common Name (eg, your name or your server's hostname) []:mnementh.csi.cam.ac.uk Email Address []:jw35@cam.ac.ukAdd the -nodes option to create a key file without a pass phrase. This is a 'self-signed' certificate that web browsers won't know to accept. So when you browse to the site you will get a (sequence of) warning dialogs.