Here is the steps I did for Apache with SSL:
To build apache with OpenSSL for secure communication, Use following steps.
Steps:
I. Build
a. Untar the Source & configure, gmake and gmake install
# tar -zxvf httpd-2.0.46.tar.gz
b. Configure the apache with options
# cd httpd-2.0.46
# ./configure --prefix=/usr/local/apache --with-ssl=/usr/local/ssl/lib --enable-expires --enable-ssl --enable-rewrite --enable-so --enable-xml --enable-modules=most
b. Compile & install the apache using following commands
# gmake
# gmake install
II. Create Certificate Authority (CA)
a. To create RSA private key
# /usr/local/ssl/bin/openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
#
b. To create self-signed CA certificate
# /usr/local/ssl/bin/openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com
#
III. Create SSL Certificate
a. To create RSA private key
# /usr/local/ssl/bin/openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#
b. Decrypt private key (so that apache can start w/o asking for password)
# mv server.key server.key.secure
# /usr/local/ssl/bin/openssl rsa -in server.key.secure -out server.key
Enter pass phrase for server.key.secure:
writing RSA key
#
c. To create a Certificate Signing Request (CSR)
# /usr/local/ssl/bin/openssl req -new -days 365 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:TN
Locality Name (eg, city) []:CBE
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cisco
Organizational Unit Name (eg, section) []:OpenSource
Common Name (eg, YOUR name) []:linuxtest.cisco.com
Email Address []:opensource@cisco.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:welcome
An optional company name []:Senas.net
#
IV. Sign SSL Certificate
# /usr/local/ssl/bin/openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=TN/L=CBE/O=cisco/OU=OpenSource/CN=linuxtest.cisco.com/emailAddress=opensource@cisco.com
Getting Private key
#
V. Create directories for SSL certificate & key and copy the certificate & key to corresponding directories
# mkdir /usr/local/apache/conf/ssl.crt
# mkdir /usr/local/apache/conf/ssl.key
# cp server.crt ssl.crt
# cp server.key ssl.key
VI. Apache configuration
In /usr/local/apache/conf/httpd.conf,
ServerName linuxtest.cisco.com
ServerAdmin sysadmin@linuxtest.cisco.com
VII. Start Apache
# /usr/local/apache/bin/apachectl startssl // both 80 & 443
To check apache whether it listens on port 80 & 443
a. Use "netstat" command
# netstat -na | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
# netstat -na | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
b. Use the following URL's
http://127.0.0.1/https://127.0.0.1/VII. Stop apache
# /usr/local/apache/bin/apachectl stop
To check apache whether it listens on port 80 & 443
# netstat -na | grep 80
# netstat -na | grep 443
#
Note: See the file /usr/local/apache/conf/ssl.conf for SSL configuration
