SSL Configuration

The previous sections introduced the (not-so-basic) concepts behind SSL, and you have learned how to generate keys and certificates. Now you can configure Apache to support SSL. As you learned earlier in the chapter, the mod_ssl module must either be compiled statically or, if you have compiled as a loadable module, the appropriate LoadModule directive must be present in the file.

The next step is to add the following configuration snippet to your Apache configuration file, replacing the information with your own, of course:

 Listen 443 <VirtualHost _default_:443> ServerName www.example.com SSLEngine on SSLCertificateFile \ /usr/local/ssl/openssl/certs/www.example.com.cert SSLCertificateKeyFile \ /usr/loca/ssl/openssl/certs/www.example.com.key </VirtualHost> 

This snippet sets up a new virtual host that will listen to port 443 (the default port for HTTPS), and you enable SSL on that virtual host with the SSLEngine directive. The SSLCertificateFile and SSLCertificateKeyfile directives indicate where to find the server's certificate and the file containing the associated key.

Starting the Server

If you compiled and installed Apache yourself, in many of the vendor configuration files, you can see that an <ifDefine SSL> block surrounds the SSL directives. That allows for conditional starting of the server in SSL mode. If you start the httpd server binary directly, you can pass it the -DSSL flag at startup. You can also use the apachectl script by issuing the apachectl startssl command. Finally, if you always want to start Apache with SSL support, you can just remove the <ifDefine> section and start Apache in your usual way.

If your server is running, and you restart it, you will be prompted for your pass phrase if your key is protected by one. After entering the correct password, Apache will start and you should be able to connect securely to it via the https://www.example.com/ URL. Substitute your own domain, of course. If you are unable to successfully start your server, check the Apache error log for clues about what might have gone wrong. For example, if you cannot bind to the port, make sure that another Apache instance is not running already. You must have administrator privileges to bind to port 443.