Before configuring Apache, you must first acquire an SSL certificate from a certificate authority that your users will trust. Depending on where your web site or application will be accessible and what resources you have at your disposal, you can either obtain a certificate from a trusted third party CA or from a CA in your own enterprise public key infrastructure. I happen to work with a predominantly Windows infrastructure, so I used my Windows Server 2008 R2 CA to generate the certificate. If you decide, like I did, to use a certificate that is not from a third party CA, Firefox users will be presented with the warning message "This connection is untrusted". Each user will have to import either the server certificate or the CA certificate in Firefox to avoid the warning. Internet Explorer, Chrome and Safari browsers will trust the Windows CA because they use the integrated Windows certificate store which will contain a copy of your Windows CA certificate and trust it. If you're expecting that a lot of your site visitors will be using non-windows devices or predominantly Firefox, then save yourself a support headache and buy a certificate from a third party CA.
Once you have your server certificate you can finish the SSL configuration. The particular server that I'm using as an example is running CentOS 6.2. You will need to check file locations for your distribution if it is different. The default configuration for Apache running on CentOS is to use '/etc/httpd/conf/httpd.conf' as well as all '.conf' files located in '/etc/httpd/conf.d' because 'httpd.conf' contains the following directive.
Include
conf.d/*.conf
The only indication that I'm running this server over SSL from httpd.conf is the directive:
ServerName server.domain.local:443
I left 'Listen 80' in 'httpd.conf' so that my clients could connect to the web site without specifying either "https" or appending ":443" to my site address. Everything else is configured in '/etc/httpd/conf.d/ssl.conf'. Be sure that only one of your .conf files contains the directive 'Listen 443', which I have in ssl.conf. If you include it in both your 'httpd.conf' and 'ssl.conf' Apache will fail to start with an "address already in use" error message.
You can leave the majority of 'ssl.conf' with the default configuration that ships with Apache but make sure that it includes 'SSLEngine On'. The primary lines that you will need to edit in 'ssl.conf' tell Apache which certificates to present to your users' web browsers as well as which private key is associated with the server certificate. It is the public key / private key pair that are the basis of SSL cryptography. The public key is provided to the client in the certificate and the private key is held by the server. Those keys combined with agreed upon encryption algorithms and random number generation provide the session keys that are used by both parties to encrypt a particular conversation. Here are the directives from 'ssl.conf':
SSLCertificateFile /etc/pki/tls/certs/server.domain.local.crt
SSLCertificateKeyfile /etc/pki/tls/private/server.domain.local.key
SSLCACertificateFile /etc/pki/tls/certs/ca.domain.local.crt
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
The names of these directives make them self-documenting. The last line is not strictly needed and I'm not using it, but I thought I'd include it for completeness. My server certificate was generated by the root CA in my PKI, so in my case there is no server chain to speak of. It's also not needed if your server certificate contains a concatenated list of all of the certificates of any intermediate certificate authorities in the certification chain.
No comments:
Post a Comment