- Enable SSL Service Property if necessary. Log in as
root and issue the following command:
web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is "false", issue these three commands:
web# svccfg -s http:apache2 setprop httpd/ssl=true
web# svcadm refresh http:apache2
web# svcprop -p httpd/ssl svc:network/http:apache2
If the response is "true", continue to the next step.
- Create a Certificate Directory and a Key Directory.
web# mkdir /etc/apache2/ssl.crt
web# mkdir /etc/apache2/ssl.key
- Generate a RSA Key.
web# /usr/sfw/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
..........................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying - Enter pass phrase: ********
- Generate a Certificate Request.
web# /usr/sfw/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \
> /etc/apache2/ssl.crt/server.csr
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]::US
State or Province Name (full name) [Some-State]:OR
Locality Name (eg, city) []:Blodgett
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Big Cheese
Email Address []:meljr@meljr.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ********
An optional company name []: Live Free or Die
- Install a Self-Signed Certificate. If you are going
to install a certificate from an authoritative source, follow their
instructions and skip this step.
web# /usr/sfw/bin/openssl req -x509 -days 3650 -key \
> /etc/apache2/ssl.key/server.key \
> -in /etc/apache2/ssl.crt/server.csr > \
> /etc/apache2/ssl.crt/server.crt
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
- Modify the ssl.conf file to use your certificate.
web# cd /etc/apache2
web# ls -l
total 334
-rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance-std.conf
-rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance.conf
-rw-r--r-- 1 root bin 37519 Jan 6 21:10 httpd-std.conf
-rw-r--r-- 1 root root 37660 Jan 18 21:49 httpd.conf
-rw-r--r-- 1 root bin 37661 Jul 20 2005 httpd.conf-example
-rw-r--r-- 1 root bin 12959 Jan 6 21:10 magic
-rw-r--r-- 1 root bin 15020 Jan 6 21:10 mime.types
-rw-r--r-- 1 root bin 10759 Jan 6 21:10 ssl-std.conf
-rw-r--r-- 1 root bin 10996 Jan 6 21:10 ssl.conf
drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key
Edit the ssl.conf and change the line that begins with
"ServerAdmin" to reflect an email address or alias for the Server's
Administrator.
- Test the SSL Certificate with Apache2
- If Apache2 is enabled, disable it during testing.
web# svcs | grep -i apache2
online 3:29:01 svc:/network/http:apache2
web# svcadm disable apache2
- Use the legacy script to manually test start Apache2
with SSL.
web# /usr/apache2/bin/apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase: ********
Ok: Pass Phrase Dialog successful.
If this test fails with an error similar to 'vhost.c:232
assertion "rv == APR_SUCCESS" failed on startssl', your server may
not be configured to use DNS to resolve host names. This failure is due
to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts
line in your server's /etc/nsswitch.conf to look like the following:
hosts: files dns
More information about this issue may be found at:
http://issues.apache.org/bugzilla/show_bug.cgi?id=27525
After editing /etc/nsswitch.conf or otherwise resolving the issue,
repeat the test until you are able to manually start and stop Apache2
using your SSL Certificate and Pass Phrase.
web# ps -ef | grep httpd
root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL
root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
- If your results are similar to the one above, use
the legacy script to conclude the test. You may also want to verify
that a client browser can access your site using https before
continuing. Accept the self-signed Certificate if necessary.
web# /usr/apache2/bin/apachectl stop
- Enable Apache2 with SSL to be started automatically as a
service.
web# cd /etc/apache2/ssl.key
web# cp server.key server.key.org
web# /usr/sfw/bin/openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: ********
writing RSA key
web# chmod 400 server.key
web# svcadm enable apache2
web# svcs | grep -i apache2
online 4:29:01 svc:/network/http:apache2
|
