- Enable SSL Service Property if necessary. Log in as
root and issue the following command:
web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is "false", issue these three commands:
web# svccfg -s http:apache2 setprop httpd/ssl=true web# svcadm refresh http:apache2 web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is "true", continue to the next step.
- Create a Certificate Directory and a Key Directory.
web# mkdir /etc/apache2/ssl.crt web# mkdir /etc/apache2/ssl.key
- Generate a RSA Key.
web# /usr/sfw/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key Generating RSA private key, 1024 bit long modulus ..........................++++++ .........++++++ e is 65537 (0x10001) Enter pass phrase: ******** Verifying - Enter pass phrase: ********
- Generate a Certificate Request.
web# /usr/sfw/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \ > /etc/apache2/ssl.crt/server.csr Enter pass phrase for /etc/apache2/ssl.key/server.key: ******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]::US State or Province Name (full name) [Some-State]:OR Locality Name (eg, city) []:Blodgett Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Big Cheese Email Address []:meljr@meljr.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ******** An optional company name []: Live Free or Die
- Install a Self-Signed Certificate. If you are going
to install a certificate from an authoritative source, follow their
instructions and skip this step.
web# /usr/sfw/bin/openssl req -x509 -days 3650 -key \ > /etc/apache2/ssl.key/server.key \ > -in /etc/apache2/ssl.crt/server.csr > \ > /etc/apache2/ssl.crt/server.crt Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
- Modify the ssl.conf file to use your certificate.
web# cd /etc/apache2 web# ls -l total 334 -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance-std.conf -rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance.conf -rw-r--r-- 1 root bin 37519 Jan 6 21:10 httpd-std.conf -rw-r--r-- 1 root root 37660 Jan 18 21:49 httpd.conf -rw-r--r-- 1 root bin 37661 Jul 20 2005 httpd.conf-example -rw-r--r-- 1 root bin 12959 Jan 6 21:10 magic -rw-r--r-- 1 root bin 15020 Jan 6 21:10 mime.types -rw-r--r-- 1 root bin 10759 Jan 6 21:10 ssl-std.conf -rw-r--r-- 1 root bin 10996 Jan 6 21:10 ssl.conf drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key
Edit the ssl.conf and change the line that begins with
"ServerAdmin" to reflect an email address or alias for the Server's
Administrator.
- Test the SSL Certificate with Apache2
- If Apache2 is enabled, disable it during testing.
web# svcs | grep -i apache2 online 3:29:01 svc:/network/http:apache2 web# svcadm disable apache2
- Use the legacy script to manually test start Apache2
with SSL.
web# /usr/apache2/bin/apachectl startssl Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases.
Server 127.0.0.1:443 (RSA) Enter pass phrase: ********
Ok: Pass Phrase Dialog successful.
If this test fails with an error similar to 'vhost.c:232
assertion "rv == APR_SUCCESS" failed on startssl', your server may
not be configured to use DNS to resolve host names. This failure is due
to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts
line in your server's /etc/nsswitch.conf to look like the following:
hosts: files dns
More information about this issue may be found at:
http://issues.apache.org/bugzilla/show_bug.cgi?id=27525
After editing /etc/nsswitch.conf or otherwise resolving the issue,
repeat the test until you are able to manually start and stop Apache2
using your SSL Certificate and Pass Phrase.
web# ps -ef | grep httpd root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
- If your results are similar to the one above, use
the legacy script to conclude the test. You may also want to verify
that a client browser can access your site using https before
continuing. Accept the self-signed Certificate if necessary.
web# /usr/apache2/bin/apachectl stop
- Enable Apache2 with SSL to be started automatically as a
service.
web# cd /etc/apache2/ssl.key web# cp server.key server.key.org web# /usr/sfw/bin/openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: ******** writing RSA key web# chmod 400 server.key web# svcadm enable apache2 web# svcs | grep -i apache2 online 4:29:01 svc:/network/http:apache2
|