The previous sections introduced the (not-so-basic) concepts behind SSL, and you have learned how to generate keys and certificates. Now, finally, you can configure Apache to support SSL. mod_ssl must either be compiled statically or, if you have compiled as a loadable module, the appropriate LoadModule directive must be present in the file.
If you compiled Apache yourself, a new Apache configuration file, named ssl.conf, should be present in the /conf directory. That file contains a sample Apache SSL configuration, and is referenced from the main httpd.conf file via an Include directive.
If you want to start your configuration from scratch, you can add the following configuration snippet to your Apache configuration file:
Listen 80 Listen 443 <VirtualHost _default_:443> ServerName www.example.com SSLEngine on SSLCertificateFile \ /usr/local/ssl/install/openssl/certs/www.example.com.cert SSLCertificateKeyFile \ /usr/loca/ssl/install/openssl/certs/www.example.com.key </VirtualHost>
With the previous configuration, you set up a new virtual host that will listen to port 443 (the default port for HTTPS), and you enable SSL on that virtual host with the SSLEngine directive.
You need to indicate where to find the server's certificate and the file containing the associated key. You do so by using SSLCertificateFile and SSLCertificateKeyfile directives.
Starting the Server
Now you can stop the server if it is running, and start it again. If your key is protected by a pass phrase, you will be prompted for it. After this, Apache will start, and you should be able to connect securely to it via the https://www.example.com/ URL.
If you compiled and installed Apache yourself, in many of the vendor configuration files, you can see that an <IFDEFINE SSL> block surrounds the SSL directives. That allows for conditional starting of the server in SSL mode. If you start the httpd server binary directly, you can pass it the -DSSL flag at startup. You can also use the apachectl script by issuing the apachectl startssl command. Finally, if you always want to start Apache with SSL support, you can just remove the <ifDefine> section and start Apache in the usual way.
If you are unable to successfully start your server, check the Apache error log for clues about what might have gone wrong. For example, if you cannot bind to the port, make sure that another Apache is not running already. You must have administrator privileges to bind to port 443.