www.thorko.de Thorsten Kohlhepp - Systems administrator | Apache SSL


Apache SSL howto

To create a self-signed CA certificate do

openssl genrsa -out ca.key 4096
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

Create a self-signed webserver certificate

openssl genrsa -out webserver.key 4096
openssl req -new -key webserver.key -out webserver.csr

Sign your webserver certificate with your CA file

openssl x509 -req -days 365 -in webserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out webserver.crt

Update your apache configuration and restart apache afterwards

SSLEngine On
SSLProtocol all -SSLv2

SSLCertificateFile /path/to/webserver.crt
SSLCertificateKeyFile /path/to/webserver.key
SSLCACertificateFile /path/to/ca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Create a client certificate

Sometimes it is useful to authenticate to a webserver using a client certificate.

openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

Convert your certificate to PKCS12 to be able to import it to your browser.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Update your apache configuration and add the following lines where you want to have a client certificate authentication

<Location /cert>
SSLVerifyClient require
SSLVerifyDepth 10

Revoke a client certificate

When you have to revoke a certificate because it got lost do

openssl ca -keyfile ca.key -cert ca.crt -revoke client.crt
openssl ca -gencrl -crldays 365 -keyfile ca.key -cert ca.crt -out cacrl.crl

Update your apache configuration and add the following two lines

SSLCARevocationFile /etc/apache2/ssl/crl/cacert.crl
SSLCARevocationPath /etc/apache2/ssl/crl/

restart apache. Every time you revoke a client certificate you will have to restart apache.