Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 5293 invoked from network); 27 Feb 2004 14:39:08 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 27 Feb 2004 14:39:08 -0000 Received: (qmail 39740 invoked by uid 500); 27 Feb 2004 14:38:50 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 39726 invoked by uid 500); 27 Feb 2004 14:38:50 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 39709 invoked from network); 27 Feb 2004 14:38:50 -0000 Received: from unknown (HELO ha-smtp0.tiscali.nl) (195.241.76.186) by daedalus.apache.org with SMTP; 27 Feb 2004 14:38:50 -0000 Received: from ragnarok.frop.org (195-240-76-230-bbxl.xdsl.tiscali.nl [195.240.76.230]) by ha-smtp0.tiscali.nl (Postfix) with ESMTP id 272062AD6A5 for ; Fri, 27 Feb 2004 15:34:31 +0100 (CET) From: Cerion Armour-Brown To: users@httpd.apache.org Date: Fri, 27 Feb 2004 15:38:46 +0100 User-Agent: KMail/1.5.4 References: <403F4DB2.6010006@rochester.rr.com> In-Reply-To: <403F4DB2.6010006@rochester.rr.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200402271538.46123.cerion@terpsichore.ws> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] HTTPS and virtual hosts X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Friday 27 February 2004 15:01, Dean A. Hoover wrote: > I am a newbie at apache httpd and ssl. I've been reading various books > and online stuff on the subject, trying to figure out how to enable > HTTPS on my webserver for virtual hosts. I talked to people I know that > have also done it, and I am still not able to get this working. I am using > RH9 and apache httpd-2.0.40-21.9. Here is > what I did in /home/tomcat/mywebsite.com/conf/ssl: > > # openssl req -new -x509 -days 3650 -nodes -out www.mywebsite.com.pem > -keyout www.mywebsite.com.pem > Generating a 1024 bit RSA private key > .........++++++ > ..++++++ > writing new private key to 'www.mywebsite.com.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [GB]:US > State or Province Name (full name) [Berkshire]:New York > Locality Name (eg, city) [Newbury]:Rochester > Organization Name (eg, company) [My Company Ltd]:My Web Site, Inc. > Organizational Unit Name (eg, section) []: > Common Name (eg, your name or your server's hostname) []:www.mywebsite.com > Email Address []:webmaster@mywebsite.com > [root@mywebsite ssl]# /etc/init.d/httpd restart > Stopping httpd: [ OK ] > Starting httpd: [ OK ] > > > The relevant part of httpd.conf is as follows: > > > ServerAdmin webmaster@mywebsite.com > ServerName www.mywebsite.com > ServerAlias mywebsite.com > DocumentRoot /home/tomcat/mywebsite.com/webapps > ErrorLog /home/tomcat/mywebsite.com/logs/error_log > CustomLog /home/tomcat/mywebsite.com/logs/access_log common > > > SSLEngine on > SSLCertificateFile > /home/tomcat/mywebsite.com/conf/ssl/www.mywebsite.com.pem > It's 'invalid'... you're giving the private key instead of the public certificate You need something like this in httpd.conf: SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SSLCACertificatePath /usr/local/apache/conf/ssl.crt SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.crt To make these (I can't rem the commands offhand - easily found tho): 1) Generate a private server key (server.key) 2) Generate a certificate signing request (server.csr) 3) Get this signed - either by yourself (you'll need a self-signed Cert. Auth. certificate & key : ca.key, ca.crt), or by a trusted authority (Thwarte, etc) => This gives you your certificate (server.crt) Be aware that if you do self sign it, people will still get the 'untrusted' message, 'cos they don't know you from jack... NOTE: You can't have more than one virtual host using ssl, listening to the same port, 'cos you can't have name-based resolution with ssl... hth, Cerion --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org