Archive for May 4th, 2011
The goal of this guide is to provide you with an Apache SSL configuration with a unique self-signed certificate for each VirtualHost.
These self-signed certificates are not intended for e-commerce or public-facing web sites. Rather, they are intended for SSL encryption of administration areas on personal websites or administration programs that have HTTP interfaces. Of course, if you have a commercially-signed certificate, you can skip the certificate-generation part of the guide, and proceed to implementing it in a VirtualHost configuration.
Written for Apache on Ubuntu Server 10.04.
First, install the base Apache SSL certificate and enable the Apache SSL module
sudo apt-get install ssl-cert
This installs a base SSL certificate and a generic ‘default-ssl’ site configuration. We will be generating per-domain self-signed certificates later. We will also not be using the ‘default-ssl’ site configuration.
Generate a hostname-specfic SSL certificate by following these instructions quoted
— From /usr/share/doc/apache2.2-common/README.Debian.gz
To create more certificates with different host names, you can use
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt
This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the apache config (you don’t need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/example.com.crt
Now that the key is generated, we’re going to create an Apache VirtualHost configuration for SSL connection. Chdir to /etc/apache2/sites-available and copy (for example) example.com.conf to example.com-ssl.conf
Next, edit the example.com-ssl.conf file and make the following changes:
* Change the defined port number in the
* At the end of the file, after the
* Within the
tag, add the following directives:
SSLEngine On # The following should point to your SSL cert file in /etc/ssl/private SSLCertificateFile /etc/ssl/private/example.com.crt
— From /etc/apache2/sites-available/default-ssl
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
* Add the SSL workaround for MSIE in your
section as follows:
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
SSL workaround for MSIE
The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):
BrowserMatch “MSIE [2-6]”
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.
Lastly, enable the newly-created site and reload apache:
Enabling site example.com-ssl.conf.
Run '/etc/init.d/apache2 reload' to activate new configuration!
(This creates the symlink from /etc/apache2/sites-enabled to your config file in /etc/apache2/sites-available – you can also create it manually if your configuration requires it)
* Reloading web server config apache2 [ OK ]
Of course, make sure after all of this that your firewall isn’t blocking port 443.
Questions, comments, and feedback regarding this guide and welcome!