I wrote this page because it took me forever to figure out how to get an
https server to work on linux, and I wanted to make it a little easier for
someone else who might want to do it. Some people I know have tried to do it by
simply replacing http: in the URL with https:,
but this may not work
because if your server is using the default certificate it came with, the
encryption is very easy to break. What you need to do is create a self-signed
certificate.
Make sure you have an Apache web server running SSL (Secure Socket Layer,
or https). To check this,
you may be able to try these commands (as root, of course):
$ /etc/rc.d/init.d/httpd stop
$ /etc/rc.d/init.d/httpd startssl
If these succeed, you have an SSL enabled version of apache. You may also be able to check if you are running SSL by using nmap to port scan yourself. If port 443 is open, you probably have an Apache server running https (make sure your firewall isn't blocking it!). If you don't have Apache with SSL, you will need to get it. If you already have Apache but don't have SSL, you may need to reinstall it. At the end ofthis document I explain how to install Apache with SSL.
If you already have a web server running https, you will still need openssl
to create a certificate. If you do not have openssl, you can get it from
www.openssl.org/source. You can test this by typing:
$ openssl version
Even if you already have openssl I would suggest upgrading to the latest version, because they recently fixed some security holes in openssl. In fact, if you haven't updated apache recently, you might want to update that also because there is a worm going around infecting old versions of apache (the worm was first noticed two months ago).
You can get openssl from
www.openssl.org. To install openssl, first uncompress it
(using tar -xvfz filename.tar.gz>, change to the directory that
was just created, and type
$ ./config
$ make
$ make test
$ make install
If that doesn't work, read the INSTALL file that came with openssl to figure out what's wrong.
$locate httpd.conf
$ find / -name httpd.conf
httpd.conf should be in the conf directory. Once you are in that directory, you will need to create an encryption key. You can password protect the key so that if anyone manages to hack into your computer, they still won't be able to know what your key is. If you do this, you'll have to type in the password every time you restart your web server (for example, when the computer reboots). If you think yourcomputer is safe against hackers, you can leave the password out.
Here is the command to create the key with a password:
$ openssl genrsa -des3 -out filename.key 1024
And to create the key without a password:
$ openssl genrsa -out filename.key 1024
Your key will be created in a file called filename.key
After you have created the key, you can create a self-signed certificate. A certificate is something your computer can present to the browser to prove that you are who you say you are. If someone the browser trusts has signed your certificate, then the browser believes it can trust you also. To get your certificate signed by someone the browser trusts, you typically need to pay someone like Verisign $300.
If you don't want to pay that kind of money, you can sign your own certificate. The browser will have no way to verify that you are who you say you are, but your communication will still be encrypted. A self-signed certificate is usually the best option unless you will be handling very sensitive data like credit card numbers.
To create a self-signed certificate, use the key that you just created, and
type:
$ openssl req -new -key filename.key -x509 -days 1000 -out filename.crt
You will be prompted to enter a lot of information. Most of it doesn't matter, but the Common Name should be the domain name of your computer (ie andrew.cs.byuh.edu). When you have entered everything, the certificate will be created in a file called filename.crt.
If you want to see the contents of a certificate, use the following:
$ openssl x509 -in filename.crt -text
SSLCertificateFile
/usr/local/apache/conf/ssl.crt/filename.crt
If the line is commented out (ie. if it starts with a '#') then uncomment
it.Do the same to the line that starts with
SSLCertificateKeyFile:
SSLCertificateKeyFile
/usr/local/apache/conf/ssl.key/filename.key
Finally, restart the http server like this:
$ /etc/rc.d/init.d/httpd stop
$ /etc/rc.d/init.d/httpd startssl
Or, if you installed your own apache server, this might work a little
better:
$ ../bin/apachectl stop
$ ../bin/apachectl startssl
(If you have to do this, you might consider copying apachectl to /etc/rc.d/init.d/httpd so your web server will be started automatically by chkconfig).
And now, if you have done everything correctly, your server should be running https. Start up mozilla, type in https://name.of.my.computer.org and enjoy the view.
If you felt my instructions weren't very clear, there is another explaination available at icewalkers.
If you want to know how to create a certificate authority, or to install client certificates in browsers (so your server can authenticate the browsers that connect to it) then visit pseudonym.org,
If you want to delve into the gory depths of encryption software, or you want to use openssl in your C programs (maybe you want to hack encryption into
your custom mail server), you should check out this
tutorial by Eric Riscorla.
To install Apache with SSL, you first need to download the latest 1.3
version of Apache. You can get it at
www.apache.org. Make
sure you don't get version 2.x, it doesn't work yet with mod_ssl.
You'll also need to download the latest version of openSSL from
www.openssl.org Get
the regular tar file, not the engine. Finally, download mod_ssl from
www.modssl.org.
Uncompress them using the following:
$ tar xvfz apache_1.3.x.tar.gz
$ tar xvfz mod_ssl-2.8.x-1.3.x.tar.gz
$ tar xvfz openssl-0.9.x.tar.gz
There are some very detailed installation instructions in the INSTALL file of mod_ssl, but here is the short version.
In the openssl directory, type:
$ ./config no-idea nothreads -fPIC
$ make
$ make test
Change to the mod_ssl directory, and type:
$ ./configure --with-apache=../apache_1.3* --with-ssl=../openssl-0.*/
Change to the apache directory, and type:
$ make
If you do the following command, a key and self-signed certificate will
be created and the server will be configured automatically for you, and you
will not need to follow the steps above:
$ make certificate TYPE=custom
You will be prompted to enter the information for the Certificate
Authority, then for the Server Certificate. It doesn't matter a whole lot
what you enter, but most of what you type will be visible to people who visit
your site. If you don't know what to type, just hit enter for the default.
Then type
$ make install
Finally, to start your https server, type
/usr/local/apache/bin/apachectl startssl
If you did everything correctly, your server should be running now, with
https on. Make sure you check out the http.conf
file and configure it the way you want it for your site.
| andrew (at) cs.byuh.edu | Thursday October 24,2002 |