= Apache HTTPS Configuration =

<<TableOfContents>>

'''Description of HTTPS configuration on honir.softxs.ch'''

= General Notes =

This description is applicable (tested) on FreeBSD 7.2 and 8.0, in an apache '''virtual host''' environment, where the same certificate is used for all virtual hosts.

= Setup New DNS Name =

Not needed. Use '''*.softxs.ch''' as common name.

= Setup Certificates =

OpenSSL should be installed. Use port security/openssl if CA.pl is not found.

  {{{
locate CA.pl
...
/usr/src/crypto/openssl/apps/CA.pl
...

cd /root
mkdir -p work/certificates

cd work/certificates
cp /usr/src/crypto/openssl/apps/CA.pl .

vi CA.pl
# Change the following
$DAYS="-days 365";
# to
$DAYS="-days 1825";
:x
  }}}

  {{{
perl CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.........++++++
...................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zug
Locality Name (eg, city) []:Zug
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.softxs.ch  # only 1 certificate is allowed -> use wildcard
Email Address []:alan@softxs.ch
  }}}

  {{{
perl CA.pl -newreq
Generating a 1024 bit RSA private key
........++++++
.............................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zug
Locality Name (eg, city) []:Zug
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SoftXS GmbH
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.softxs.ch
Email Address []:alan@softxs.ch

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
  }}}

  {{{
perl CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            8f:db:ea:5b:29:35:12:0b
        Validity
            Not Before: Jul 31 10:46:16 2008 GMT
            Not After : Jul 31 10:46:16 2009 GMT
        Subject:
            countryName               = CH
            stateOrProvinceName       = Zug
            localityName              = Zug
            organizationName          = SoftXS GmbH
            commonName                = *.softxs.ch
            emailAddress              = alan@softxs.ch
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                47:27:08:DB:DC:CA:53:36:53:DF:E7:EA:8A:8D:53:49:2E:1B:C6:98
            X509v3 Authority Key Identifier:
                keyid:04:3F:E8:2C:28:CF:28:8A:EE:CF:95:F6:15:41:61:6E:DC:C2:4E:77
                DirName:/C=CH/ST=Zug/L=Zug/O=SoftXS GmbH/CN=*.softxs.ch/emailAddress=alan@softxs.ch
                serial:8F:DB:EA:5B:29:35:12:0A

Certificate is to be certified until Jul 31 10:46:16 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
  }}}

Use everywhere "apache2" instead of "apache22" on older FreeBSD if appropriate.

  {{{
openssl rsa < newkey.pem > server_key.pem

cp newcert.pem server_cert.pem

cd /usr/local/etc/apache22
mkdir ssl.crt ssl.key

cd /root/work/certificates
cp server_cert.pem     /usr/local/etc/apache22/ssl.crt/server.crt
cp server_key.pem      /usr/local/etc/apache22/ssl.key/server.key
cp ./demoCA/cacert.pem /usr/local/etc/apache22/ssl.crt/ca.crt

cd /usr/local/etc/apache22

cp httpd.conf httpd.conf-20100311
cp extra/httpd-ssl.conf extra/httpd-ssl.conf-20100311
  }}}

= Update /etc/rc.conf =

  {{{
vi /etc/rc.conf
# add the following line if not added yet:
apache2ssl_enable="YES"
:x
  }}}

= Update /usr/local/etc/apache22/httpd.conf =

Remove comments from '''httpd-vhosts.conf''' and '''httpd-ssl.conf'''

  {{{
[root@ymir /usr/local/etc/apache22]# diff httpd.conf-20100311 httpd.conf
0a1,2
> # 2010-03-11 TN: https configured
> #
1a4
> #
447c450
< #Include etc/apache22/extra/httpd-vhosts.conf
---
> Include etc/apache22/extra/httpd-vhosts.conf
459c462
< #Include etc/apache22/extra/httpd-ssl.conf
---
> Include etc/apache22/extra/httpd-ssl.conf
}}}

= Update /usr/local/etc/apache22/extra/httpd-ssl.conf =

Move and set all common SSL settings '''outside(!!!)''' the section '''<VirtualHost _default_:443>'''. This section is unused:
  {{{
# Common SSL settings (1 key for all virtual hosts)
SSLProtocol                 all
SSLCipherSuite              HIGH:MEDIUM
SSLVerifyClient       none

#   Server Certificate:
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
#   Server Private Key:
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
#   Server Certificate Chain:
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt"
#   Certificate Authority (CA):
SSLCACertificatePath  /usr/local/etc/apache22/ssl.crt
SSLCACertificateFile  /usr/local/etc/apache22/ssl.crt/ca.crt
# Common SSL settings end
}}}

All changes:

  {{{
[root@ymir /usr/local/etc/apache22/extra]# diff httpd-ssl.conf-20100311 httpd-ssl.conf
69a70,85
> # Common SSL settings (1 key for all virtual hosts)
> SSLProtocol                 all
> SSLCipherSuite              HIGH:MEDIUM
> SSLVerifyClient       none
>
> #   Server Certificate:
> SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt"
> #   Server Private Key:
> SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key"
> #   Server Certificate Chain:
> SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/ca.crt"
> #   Certificate Authority (CA):
> SSLCACertificatePath  /usr/local/etc/apache22/ssl.crt
> SSLCACertificateFile  /usr/local/etc/apache22/ssl.crt/ca.crt
> # Common SSL settings end
>
99c115
< SSLCertificateFile "/usr/local/etc/apache22/server.crt"
---
> #SSLCertificateFile "/usr/local/etc/apache22/server.crt"
107c123
< SSLCertificateKeyFile "/usr/local/etc/apache22/server.key"
---
> #SSLCertificateKeyFile "/usr/local/etc/apache22/server.key"
}}}

= Update /usr/local/etc/apache22/extra/httpd-vhosts.conf =
Add '''named virtual host''' option for port 443, and for all virtual host a '''VirtualHost''' and a '''Directory''' section. Example:
  {{{
NameVirtualHost *:443

# -- coya2.softxs.ch

<VirtualHost *:443>
  DocumentRoot  /home/www/shtml/coya
  ServerName    coya2.softxs.ch
  Options       -Indexes

  SSLEngine             on
</VirtualHost>

<Directory /home/www/shtml/coya>
  Options None
  AllowOverride AuthConfig Limit
  Order allow,deny
  Allow from all
</Directory>
}}}

All changes (virtual hosts lu.softxs.ch and coya2.softxs.ch, both are enabled on HTTP and HTTPS):
  {{{
[root@ymir /usr/local/etc/apache22/extra]# diff httpd-vhosts.conf-20100311 httpd-vhosts.conf
19a20
> NameVirtualHost *:443
28,33c29,31
<     ServerAdmin webmaster@dummy-host.example.com
<     DocumentRoot "/usr/local/docs/dummy-host.example.com"
<     ServerName dummy-host.example.com
<     ServerAlias www.dummy-host.example.com
<     ErrorLog "/var/log/dummy-host.example.com-error_log"
<     CustomLog "/var/log/dummy-host.example.com-access_log" common
---
>   DocumentRoot  /usr/local/www/apache22/data
>   ServerName lu.softxs.hu
>   Options       -Indexes
37,41c35,37
<     ServerAdmin webmaster@dummy-host2.example.com
<     DocumentRoot "/usr/local/docs/dummy-host2.example.com"
<     ServerName dummy-host2.example.com
<     ErrorLog "/var/log/dummy-host2.example.com-error_log"
<     CustomLog "/var/log/dummy-host2.example.com-access_log" common
---
>   DocumentRoot  /home/www/shtml/coya
>   ServerName    coya2.softxs.ch
>   Options       -Indexes
43a40,70
> <VirtualHost *:443>
>   DocumentRoot  /usr/local/www/apache22/data
>   ServerName lu.softxs.hu
>   Options       -Indexes
>
>   SSLEngine             on
> </VirtualHost>
>
> <Directory /usr/local/www/apache22/data>
>   Options None
>   AllowOverride AuthConfig Limit
>   Order allow,deny
>   Allow from all
> </Directory>
>
> # -- coya2.softxs.ch
>
> <VirtualHost *:443>
>   DocumentRoot  /home/www/shtml/coya
>   ServerName    coya2.softxs.ch
>   Options       -Indexes
>
>   SSLEngine             on
> </VirtualHost>
>
> <Directory /home/www/shtml/coya>
>   Options None
>   AllowOverride AuthConfig Limit
>   Order allow,deny
>   Allow from all
> </Directory>
}}}