Enabling SSL on Apache HTTP Server

After opening our JIRA to outside world via Apache HTTP Server, the next obvious thing was securing communication between users and the web server. Enabling SSL on Apache HTTP Server is really easy. The key ingredients of securing Apache are mod_ssl and OpenSSL. It is possible to download Apache distribution including mod_ssl and openssl runtime.

Here are the steps to enable SSL on Apache;

Copy mod_ssl.so into modules directory, and add following line to your httpd.conf file. If you have downloaded Apache distribution with SSL, they are already available. You only need to uncomment that line.

LoadModule ssl_module modules/mod_ssl.so

Uncomment following line in your httd.conf file as well.

Include conf/extra/httpd-ssl.conf

In order to enable SSL, we need to provide a X509 certificate for server identification. For testing purposes you can create a self signed certificate and install it to start using Apache securely, however your users will see a security warning, which says your certificate is not trusted. In order to clear this warning you need a certificate created by a trusted certificate authority (CA). Nowadays, you don’t have to pay for a certificate for server identification. There are several sites which provide you with free certificates. However, you must be ready to pay for extra features you need from the certificate.

Creating a self signed certificate for testing purposes

First, we need to create a private/public key pair which will be used during certificate creation. In order to do this, we need openssl. In Apache bin directory, execute following command:

openssl  genrsa  -des3  -out  ..\conf\server.key  1024

This will generate a public/private key pair with triple DES algorithm, having 1024 bits in the private key. During key generation, openssl will ask a passphrase in order to secure access to private key. Private key is kept encrypted and this passphrase is required to access it. Then, we need to issue following command to create a self signed certificate with the above key pair:

openssl req -config ..\conf\openssl.cnf -new -key ..\conf\server.key -x509 -out ..\conf\server.crt

In win32 platform we get an error related with accessing openssl.cnf file. Therefore we give its path with –config parameter . req –new command is normally used to issue a new certificate request, but –x509 option causes x509 structure to be output instead of new request. If you create server.key and server.crt with different names and in different folder other than conf, you will need to change related directives in httpd-ssl.conf file:

SSLCertificateFile "E:/work/tools/Apache2.2/conf/server.crt"
    SSLCertificateKeyFile "E:/work/tools/Apache2.2/conf/server.key"

During startup, Apache will require passphrase assigned to the private key. In httpd-ssl.conf, “SSLPassPhraseDialog builtin” directive causes Apache to pop a dialog to enter this pass phrase. Unfortunately, builtin dialog doesn’t work in Win32 platform. Instead, we can create an executable script to provide it and change the directive to specify the path of this executable script as follows:

put following line into conf\passphrase.bat file to echo passphrase.

@echo secret

    SSLPassPhraseDialog exec: E:/work/tools/Apache2.2/conf/passphrase.bat

It is a vulnerability to leave passphrase in such a text file in a machine, accessible from outside world. You must immediately remove echo statement from passphrase.bat file after Apache server starts.

Creating and configuring a certificate signed by a trusted certificate authority

In order to have certificate signed by a CA, we first need to create a certificate request.

openssl req -config ..\conf\openssl.cnf -new -key ..\conf\server.key -out ..\conf\server.csr

Next, we need to submit it to our CA, and wait to recieve signed certificate from it. CAs usually provide detailed information about how to submit requests, receive and save signed certificates etc. Let me assume that signed certificate is already saved into the filesystem. You need to give its path to SSLCertificateFile directive if its different than conf\server.crt.

It is also necessary to put certificate chain into a PEM encoded file and point it with SSLCertificateChainFile directive in httpd-ssl.conf. Certificate chain usually is composed of more than one CA. This PEM encoded file keeps all of those CA certificates appended to each other.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.