The Apache server must be configured with supplementary API modules in order
to support SSL. There are many SSL software packages available. My
examples are based on Apache configured with ModSSL and OpenSSL. There are
countless mailing lists and newsgroups available to support these products.
You may find these instructions helpful for some commercial SSL software
packages that are based on the Apache web server.
A few things to keep in mind: You can have multiple virtual hosts on the
same server. You can have numerous name-based virtual hosts on the same IP
address. You can also have numerous name-based virtual hosts and one (1)
secure virtual host on the same IP. But - you cannot have multiple secure
virtual hosts on the same IP. The question that so many ask: Why? The
answer is: SSL works below the application layer. Name based hosts are not
defined until the application layer.
Specifically, you cannot have multiple secure virtual hosts on the same
SOCKET (IP address + port). By default, a secure host will use port 443.
You can change configure your virtual host to use a different port number
with the same IP, thus creating another socket. There are many
disadvantages to this approach. The most obvious disadvantage is that if
you are not using the default port, your URL must also contain the port
number to access the secure site.
Example:
Site using default port - www.something.com - would be accessed
as https://www.something.com
A site using port 8888 would be accessed as https://www.something.com:8888
Another disadvantage is that if you introduce more ports, you will be
providing more opportunities for port sniffing hackers. Last, if you select
a port that is used by something else, you will create conflict problem.
Setting up virtual hosts is fairly straightforward. I will go through the
basics of setting up a secure virtual host.
In these examples, I use the .crt and .key file
extensions. That is my personal way of avoiding confusion with the
various files. With Apache, you can use any extension you choose -
or no extension at all.
All of your secure virtual hosts should be contained
within <IfDefine SSL> and </IfDefine SSL>,
usually located towards the end of the httpd.conf file.
The directives that are the most important for SSL are the SSLEngine on,
SSLCertificateFile, SSLCertificateKeyFile, and in many cases
SSLCACertificateFile directives.
SSL Engine
"SSLEngine on" - this is ModSSL's command to start SSL.
SSLCertificateFile
SSLCertificateFile Tells Apache where to find the certificate file and
what it is named. The example above shows "server.crt" as the certificate
file name. This is the default that is added when you configure ModSSL with
Apache. I personally don't recommend using the default names. Save
yourself some frustration and name your certificates as servername.crt
(domainname.crt). You may also decide to use an alternative directory than
the default /etc/httpd/conf/ssl.crt or /usr/local/apache/conf/ssl.crt.
Just remember to make the necessary changes to the path.
SSLCertificateKeyFile
SSLCertificateKeyFile tells Apache the name of the private key and where
to find it. The directory defined here should have read/write permissions
for root only. No one else should have access to this directory.
SSLCACertificateFile
The SSLCACertificateFile directive tells Apache where to find the
Intermediate (root) certificate. This directive may or may not be necessary
depending on the CA that you are using. This certificate is essentially a
ring of trust.
Intermediate Certificate - A Certificate Authority obtains a certificate in
much the same way as you. This is known as an intermediate certificate. It
basically says that the holder of the intermediate certificate is whom they
say they are and is authorized to issue certificates to customers. Web
browsers have a list of "trusted" certificate authorities that is updated
with each release. If a Certificate authority is fairly new, its
intermediate certificate may not be in the browser's list of trusted CA's.
Combine this with the fact that most people don't update their browsers very
often; it could take years before a CA is recognized as trusted
automatically. The solution is to install the intermediate certificate on
the server using the SSLCACertificateFile directive. Usually, a "trusted"
CA issues the intermediate certificate. If it is not, then you may need to
use the SSLCertificateChainFile directive, although this is unlikely.
The script to restart the webserver may be located in
/usr/local/sbin, /usr/sbin, (where the script is
called httpd) or /usr/local/apache/bin (where the
script is called apachectl). If you are not running the
server with SSL enabled, you will need to stop and start the server.
You may also write your own customized scripts to start, restart, and
stop your server. As long as it starts the SSL engine, you should be OK.