Forum Moderators: phranque
Client has a web site.
Client is using own server (computer) to host site
Client has a database that is not SSL secure
One of Client's customer is ticked off for not being secure.
Need to know how to have an SSL installed and how to set it up. I never done anything like this. Any help would be greatly appreciated.
Eddie
right now I have
Apache port 80
Tomcat port 8080 (for JSPs, you might not use this)
MySQL port 3306
you need OpenSSL from openssl.org
you need to create a certificate
(dont know how yet)
you need to tell apache to connect on port 443 (dont know how yet)
if i find out more will give u a shout i have a similar thread
[edited by: newseed at 4:41 pm (utc) on Sep. 7, 2005]
It would seem to me to be cost effective if a hosting company were install it and maintain it as versus one trying to do it themselves on their own server.
I am quite ignorant in this area so any feedback would be appreciated.
But we've all seen unsigned certificates and accepted them before.
The only concern for the majority of people is that the site is secure, and the home made certificate will do that
What it wont do is charge you $1000 for someone else to say yes, that's right, it is secure, and (this is what costs you) we are cornfirming that they really are who they say they are
[jm-solutions.com...]
still cant get it to work but i feel a hell of a lot closer ;-)
You will still have to go to their website for the downloads though but read this:
Assumptions
The following assumptions are made:
•Apache 2.0.52 is already installed properly.
•Apache directory are named from the standard defaults i.e. Apache Group/Apache2/...
•OpenSSL is installed
Copy Download files
•Copy the Apache module mod_ssl.so to your Apache Group/Apache2/module directory
•Copy the ssl configuration file ssl.conf to your Apache Group/Apache2/conf directory
Modify Configurations files
You will need to modify two configuration files, http.conf and ssl.conf
http.conf
•Look for the "LoadModule" section in the http.conf file and remove the comment for the following line:
(If its not there simply copy and paste this line within the "LoadModule" section)
LoadModule ssl_module modules/mod_ssl.so
•Make sure that you have an Include statement in the http.conf so that the http.conf will include the directives from the ssl.conf file. The end result is somewhat like one big conf file, because of this make sure you dont repeat the same statements in both conf files. For example if you specific the directive Listen 443 in the ssl.conf and also in the http.conf Apache will issuse a overlap warning.
# Bring in additional module-specific configurations
<IfModule mod_ssl.c>
Include conf/ssl.conf
</IfModule>
ssl.conf
The setup in our example will define the <VirtualHost> supporting SSL through port 443 in the ssl.conf file. We can of course define the <VirtualHost> directive supporting SSL directives in the http.conf file as shown below , to do so we must also have a Listen 443 in http.conf or ssl.conf. Regardless, I prefer to keep all the SSL related directives & statements together with the ssl.conf.
•Include the following lines in the ssl.conf file:
Listen 443
SSLSessionCache none
SSLMutex none
•Include or make sure you have the following lines for the general setup of the virtual host in the ssl.conf file.
(You will need to change the red to your own settings). However, to follow the example leave my-server as
my-server.
<VirtualHost 192.168.#*$!.xxx:443>
DocumentRoot "c:/my/webpages"
ServerName www.my-server.com:443
ServerAdmin my@email.com
ErrorLog logs/mySSLerror.log
SSLEngine on
LogLevel info
TransferLog logs/access_log
<Directory "c:/Apache Group/Apache2/cgi-bin">
SSLCertificateFile "c:/Apache Group/Apache2/conf/ssl.crt/my-server.crt"
SSLCertificateKeyFile "c:/Apache Group/Apache2/conf/ssl.key/my-server.key"
- - -
- - -
- - -
</VirtualHost>
•Comment out both start/end IfDefine tags.
#<IfDefine SSL>
- - -
- - -
- - -
#</IfDefine>
If you perfer not to comment out both start/end IfDefine tags you will be required to start Apache server using the -D SSL option for SSL support.
Creating the Keys
The next section will explain how to create the Certificate and Keys required for SSL support.
Creating the Certificate
Goto the command prompt and go into your openssl\bin folder. Then type this stuff:
•"openssl req -config openssl.cnf -new -out my-server.csr".
The openssl req command will prompt you for additional information to create and processes certificate requests in PKCS#10 format using the config file openssl.cnf. After the completion of this command you will have a certificate signing request and a private key. When prompt for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.com). The certificate belongs to this server name and browsers complain if the name doesn't match.
•"openssl rsa -in privkey.pem -out my-server.key".
The openssl rsa command will remove the pass phrase from the RSA private key. You MUST understand what this means; "my-server.key" should be only readable by the apache server and the administrator. If it exists, you should delete the ".rnd" file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.
•"openssl x509 -in my-server.csr -out my-server.crt -req -signkey my-server.key -days 365".
The openssl x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a ``mini CA'' or edit certificate trust settings. The above example will creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.
Copy the Certificate
After typing the above commands we created three files - "my-server.csr", "my-server.key" and "my-server.crt".
NOTE: the Certificate Signing Request file "my-server.csr" will not be used in this example. This file is required as a copy/paste and send to your selected SSL provider such as www.rapidssl.com to purchase a real certificate.
We now need to copy the files to the Apache Group/Apache2/conf/ssl directory. If the ssl directory does not exist in Apache Group/Apache2/conf/ then create it.
•Copy the file "my-server.key" from the openssl/bin folder to the apache2/conf/ssl.key folder
•Copy the file "my-server.crt" from the Openssl/Bin directory to the Apache Group/Apache2/conf/ssl.crt directory.
Start the Server and Test https
At this point we are finished! hopefully we will be able to access the server using SSL support by using https instead of http. Its advise to start the server from a command line using the command "apache -k start". This way if we made any mistakes we can view the error message from the console. We can also check the error.log and SSL.log for any errors.
NOTE: If your using a router dont forget to open its port to 443!.
To test https type in on the browser address line
[my-server.com:443...]
where "www.my-server.com" is found in your ssl.conf VirtualHost setting for ServerName. If all goes well we will be asked if we want to proceed using the Security Certificate.
I just set one up on a local Win2k3 server. A walkthrough for IIS is provided by Calyx Software: [pdskb.calyxsoftware.com...]
Thanks
