Apache Secure Server (HTTPS)

Have a read of http://httpd.apache.org/docs-2.0/ssl/

The shorter HOWTO guide for a standard Red Hat (7.1) install of Apache is:

  1. cd /etc/httpd/conf
  2. mv ssl.cert/server.crt ssl.cert/server.crt.old
  3. mv ssl.key/server.key ssl.key/server.key.old
  4. make genkey
  5. make testcert

which takes a little less than 2 minutes!

Mandrake 10.0

server.crt and server.key are under /etc/ssl/apache and the script to generate the certificate is /usr/lib/ssl/apache2-mod_ssl/gentestcrt.sh

-- Frank Dean - 20 Oct 2004

Debian Woody


  • /usr/sbin/ssl-certificate

and follow the instructions.

-- Frank Dean - 31 Jan 2005

Generating with Openssl

If suitable scripts aren't available for your distribution, or you'd like to better understand the mechanisms used, this section gives some brief pointers.

The HOWTOs listed at http://www.openssl.org/docs/HOWTO/ are very brief and to-the-point and well worth reading. This is a very short summary of those guides.

Generating public and private keys

See http://www.openssl.org/docs/HOWTO/keys.txt

Generate the private RSA key, in this case, without a password;

  • openssl genrsa -out privkey.pem

To generate with a password:

  • openssl genrsa -des3 -out privkey.pem

To create something more secure, seed the command with some random data.

  • cat /dev/random > seedfile # Interrupt after a while with CTRL-C
  • openssl genrsa -out privkey.pem -rand seedfile rsaparam.pem

Remove Private Key Password

  • openssl rsa -in oldprivkey.pem -out nopassprivkey.pem

Change Private Key Password

  • openssl rsa -in oldprivkey.pem -des3 -out newprivkey.pem

Generating a certificate

  • (Consider using http://tinyca.sm-zone.net/ - apt-get install tinyca as an alternative)
  • -- Frank Dean - 26 Jan 2007

  • Alternatively, just use the /usr/sbin/apache2-ssl-certificate script that is included in Debian 3.1 (Sarge) apache2-common package

  • -- Frank Dean - 17 Apr 2007

See http://www.openssl.org/docs/HOWTO/certificates.txt

Create a certificate request

This creates a PEM formatted certificate which is sent to a Certificate Authority for signing by them, before being returned to you.

  • openssl req -new -key privkey.pem -out cert.csr

Creating a self-signed certificate

  • openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365

Create the Apache certificate

The Apache certificate contains both the private key and the certificate.

  • cat privkey.pem cacert.pem > apache.pem

Installing the certificate will vary by distribution, but for Debian Woody, install it with perms 600, owned by root in /etc/apache-ssl/

Creating a mini Certificate Authority

Create a self-signed certificate to use as the root CA

  • openssl req -new -x509 -key privkey.pem -out rootca.pem -days 365

Create a certificate request

  • openssl req -new -key privkey.pem -out cert.csr

or with SHA1 instead of MD5

  • openssl req -new -sha1 -key privkey.pem -out cert.csr

Sign the certificate request

  • openssl x509 -req -in cert.csr -extensions v3_usr -CA rootca.pem -CAkey privkey.pem -CAcreateserial -out signedcert.pem -days 365

Viewing a certificate

  • openssl x509 -in signedcert.pem -noout -text

Viewing a certificate request

  • openssl req -in signedcert.pem -text

The test certficate is basically a 'self-signed' certifcate which is considered to be insecure in an Internet environment, as it doesn't prove who you are. However, it does work.

Now, to get a trusted certificates you need to go to someone like Verisign - but this isn't cheap. Fortunately it can be done cheaper...

Checkout http://easily.co.uk/ However, they want to validate all php scripts before they'll let them go live. Check in case they have changed the policy on this. I suspect they will.

Also http://www.comodogroup.com/products/certificate_services/index.html

Also some certificates are issued for a specified IP addresss, which would be no good for a server running dynamic DNS. The certificate must be issued by a Certificate Authority (CA) which is recognised by the browser. Internet Explorer and Mozilla are set-up by default to recognise a number of CAs but not all. A CA can issue a certificate to someone else that allows them to act as a CA. That would be OK as long as the browser 'trusts' the root CA.

To see what CAs Internet Explorer accepts, go to Tools->Internet Options, then the 'Content' tab and select 'Certificates' - There are two tabs 'Intermediate Certificate Authorities' and 'Trusted Root Certificate Authorities'. Unsurprisingly, Microsoft have made themselves trusted CAs by default!! In the latest Mozilla (1.4.1) it's under Edit-&Preferences then 'Privacy & Security -> Certificates' then 'Manager Certificates' then the 'Authorities' tab. If you accept my certificate as a permanently 'trusted' certificate - it ought to operate identically to the real thing. Only trouble is, I had problems in the past with Internet Explorer not treating such certificates quite the same as the real thing when I was trying to do things with ActiveX.

Search google limiting the search to your country (there are some country specific googles, e.g. http://www.google.co.uk) for something like 'certificate authority ssl' should give you plenty.

Check with your ISP. Many are including HTTPS for free.


apache2-ssl-certificate will create /etc/apache2/ssl/apache.pem

See also:

In Debian 7.x (Wheezy) the ssl-cert package can be used to create self-signed certificates. See 'Creating self-signed certificates' in /usr/share/doc/apache2.2-common/README.Debian.gz.

-- Frank Dean - 30 Aug 2014


-- Frank Dean - 06 Jan 2004

Related Topics: ApacheHints