httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cerion Armour-Brown <cer...@terpsichore.ws>
Subject Re: [users@httpd] HTTPS and virtual hosts
Date Fri, 27 Feb 2004 14:38:46 GMT
On Friday 27 February 2004 15:01, Dean A. Hoover wrote:
> I am a newbie at apache httpd and ssl. I've been reading various books
> and online stuff on the subject, trying to figure out how to enable
> HTTPS on my webserver for virtual hosts. I talked to people I know that
> have also done it, and I am still not able to get this working. I am using
> RH9 and apache httpd-2.0.40-21.9. Here is
> what I did in /home/tomcat/mywebsite.com/conf/ssl:
>
> # openssl req -new -x509 -days 3650 -nodes -out www.mywebsite.com.pem
> -keyout www.mywebsite.com.pem
> Generating a 1024 bit RSA private key
> .........++++++
> ..++++++
> writing new private key to 'www.mywebsite.com.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [GB]:US
> State or Province Name (full name) [Berkshire]:New York
> Locality Name (eg, city) [Newbury]:Rochester
> Organization Name (eg, company) [My Company Ltd]:My Web Site, Inc.
> Organizational Unit Name (eg, section) []:
> Common Name (eg, your name or your server's hostname) []:www.mywebsite.com
> Email Address []:webmaster@mywebsite.com
> [root@mywebsite ssl]# /etc/init.d/httpd restart
> Stopping httpd:                                            [  OK  ]
> Starting httpd:                                            [  OK  ]
>
>
> The relevant part of httpd.conf is as follows:
>
> <VirtualHost *:443>
>   ServerAdmin webmaster@mywebsite.com
>   ServerName www.mywebsite.com
>   ServerAlias mywebsite.com
>   DocumentRoot /home/tomcat/mywebsite.com/webapps
>   ErrorLog /home/tomcat/mywebsite.com/logs/error_log
>   CustomLog /home/tomcat/mywebsite.com/logs/access_log common
>
>   <IfModule mod_ssl.c>
>     SSLEngine on
>     SSLCertificateFile
> /home/tomcat/mywebsite.com/conf/ssl/www.mywebsite.com.pem </IfModule>
> </VirtualHost>

It's 'invalid'... you're giving the private key instead of the public 
certificate

You need something like this in httpd.conf:
   SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
   SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
   SSLCACertificatePath /usr/local/apache/conf/ssl.crt
   SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt

To make these (I can't rem the commands offhand - easily found tho):
1) Generate a private server key (server.key)
2) Generate a certificate signing request (server.csr)
3) Get this signed - either by yourself (you'll need a self-signed Cert. Auth. 
certificate & key : ca.key, ca.crt), or by a trusted authority (Thwarte, etc) 
=> This gives you your certificate (server.crt)

Be aware that if you do self sign it, people will still get the 'untrusted' 
message, 'cos they don't know you from jack...

NOTE: You can't have more than one virtual host using ssl, listening to the 
same port, 'cos you can't have name-based resolution with ssl...
hth,
Cerion


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message