Setup Apache2 with OpenSSL Print
Written by Paul Matthews   

This is a how-to for using openssl to generate a ssl cert and use it with apache web server for a secure site.

Name: OpenSSL
Function: developed for transmitting private documents via the Internet using cryptographic a system

Name: Apache
Function: Webserver


1. Okay, firstly we need make the openssl directories

mkdir /etc/ssl/

2. Then we need to change into the directory

cd /etc/ssl

3. Make server SSL certificate

openssl genrsa -des3 -out server.key 1024


Setup Apache2 with OpenSSL

4. Create a Certificate Signing Request (CSR) with the server RSA private key.

openssl req -new -key server.key -out server.csr

Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via, enter "" here.


Setup Apache2 with OpenSSL

5. Make CA certificate, Create a RSA private key for your CA

openssl genrsa -des3 -out ca.key 1024


Setup Apache2 with OpenSSL

6. Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA .

openssl req -new -x509 -days 365 -key ca.key -out ca.crt


Setup Apache2 with OpenSSL

7. Use the signcert script to sign the server cert as your own CA.


or copy the following code into a file and execute it


nano /tmp/
## -- Sign a SSL Certificate Request (CSR)
##  Copyright (c) 1998 Ralf S. Engelschall, All Rights Reserved.

#   argument line handling
if [ $# -ne 1 ]; then
    echo "Usage: sign.sign <whatever>.csr"; exit 1
if [ ! -f $CSR ]; then
    echo "CSR not found: $CSR"; exit 1
case $CSR in
   *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
       * ) CERT="$CSR.crt" ;;

#   make sure environment exists
if [ ! -d ca.db.certs ]; then
    mkdir ca.db.certs
if [ ! -f ca.db.serial ]; then
    echo '01' >ca.db.serial
if [ ! -f ca.db.index ]; then
    cp /dev/null ca.db.index

#   create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca              = CA_own
[ CA_own ]
dir                     = .
certs                   = \$dir
new_certs_dir           = \$dir/ca.db.certs
database                = \$dir/ca.db.index
serial                  = \$dir/ca.db.serial
RANDFILE                = \$dir/ca.db.rand
certificate             = \$dir/ca.crt
private_key             = \$dir/ca.key
default_days            = 365
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_anything
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
#ssleay ca -config ca.config -out $CERT -infiles $CSR
# above commented out by kcl and substituted below
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
#ssleay verify -CAfile ca.crt $CERT
openssl verify -CAfile ca.crt $CERT

#  cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

#  die gracefully
exit 0



8. Run the following command after you download the file

 ./ server.csr


Setup Apache2 with OpenSSL

9. Now we need to add the following lines to the httpd.conf


nano /etc/httpd/conf/httpd.conf


<VirtualHost *:443>
DocumentRoot /var/www/html/
<Directory "/var/www/html/">
allow from all
Options +Indexes
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key
SSLEngine on


Setup Apache2 with OpenSSL

10. now we need to remove the default virtual host

nano /etc/httpd/conf.d/ssl.conf

comment out everything between

<VirtualHost _default_:443>

note: by 'comment out' i mean, add '#' infront of every line

11. Now start your apache server, you should be asked to enter a password, this is the password you enter above.

/etc/init.d/httpd start


Setup Apache2 with OpenSSL

12. When you can be sure that your server is secure enough you perform two steps, remove the encryption from the RSA private key (while preserving the original file):

cp server.key
openssl rsa -in -out server.key

13. Make sure the server.key file is now only readable by root:

chmod 400 server.key


Setup Apache2 with OpenSSL





cell3 Submit to
AddThis Social Bookmark Button