Table of Contents
SSL/TLS with Apache 2.2 on Debian/Ubuntu Linux
This article provides basic knowledge and exemplary configurations to use SSL/TLS with Apache.
It is assumed that you got a working Apache HTTP server and you can access the computer's terminal with root privileges (e.g. via SSH).
The following commands and configurations are examples to help understanding the SSL/TLS configuration at all. You need to adapt them to your needs.
Things you should know before you start
- Why can't I use SSL with name-based/non-IP-based virtual hosts? But there is some light at the end of the tunnel: VhostTaskForce
- If done right, TLS is not computationally expensive any more. Many years ago it might have been true, but it's just not the case any more. If you want to know more about, have a look at the article Overclocking SSL.
- TLS makes the communication with your website more secure, but it does not protect against all kind of attacks and tracking. E.g. If an attacker is ablte to track your traffic, it should be still possible to know which pages you visisted (based on size of submitted data).
Necessary preparations
- The module
mod_ssl
has to be installed (should be the case by default) and active. If it is not, use the following to activate it:sudo a2enmod ssl
- Your Apache should listen on the SSL/TLS default Port 443 (→
Listen 443
) - OpenSSL has to be installed.
Set up the certificate
Import and use an existing certificate
Create and use a new certificate
Many articles you on the web are using apache2-ssl-certificate
to create a certificate, but this information is outdated. The script/command is not available for Apache 2.2 on Debian/Ubuntu.
Weak, self-signed certificate for private usage or testing purpose
This is a good starting point. Create a weak and self-signed certificate to test and configure everything and switch over to a better certificate signed by a trusted third party afterwards.
- Create the TLS/SSL directory if it is not existing:
sudo mkdir -p -v -m 0700 /etc/apache2/ssl/
- Create the certificate (replace
server
with your domain name or your server's IP, e.g.*.example.com
,www.example.com
in all following commands):sudo openssl req -new -x509 -nodes -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key
- Set the correct permissions:
sudo chown -R root /etc/apache2/ssl/ sudo chmod -R 400 /etc/apache2/ssl/
Strong certificate for professional usage
- Create the TLS/SSL directory if it is not existing:
sudo mkdir -p -v -m 0700 /etc/apache2/ssl/
You can use
sudo openssl ciphers -v
to check which encryption algorithms are available on your system. If available, I would recommend AES256-SHA or AES128-SHA. The genrsa OpenSSL documentation is also helpful.
- Create the certificate (replace
server
with your domain name or your server's IP, e.g.*.example.com
,www.example.com
in all following commands):- 1st variant (without password, useful for common servers):
sudo openssl genrsa -out /etc/apache2/ssl/server.key 1024
- 2nd variant (including password - you have to type this whenever Apache starts):
sudo openssl genrsa -aes256 -out /etc/apache2/ssl/server.key 1024
- Create a Certificate Signing Request (CSR):
sudo openssl req -new -key /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.csr
When you are asked for the “CommonName”, use your server's FQDN (“Fully Qualified Domain Name”, e.g.
www.example.com
). Wildcards like*.example.com
are working, but you may have to escape the*
with a backslash. - Check everything:
openssl req -noout -text -in /etc/apache2/ssl/server.csr
- Take the CSR file and send it to a Root-CA to sign it. You will get back a signed certificate (normally as plain text:
—–BEGIN CERTIFICATE—– […] —–END CERTIFICATE—–
). Store this certificate <wrap important> without any white-space begind—–END CERTIFICATE—–
into/etc/apache2/ssl/server.crt
. - Set the correct permissions:
sudo chown -R root /etc/apache2/ssl/ sudo chmod -R 400 /etc/apache2/ssl/
Configure Apache
The basic configuration is done. Now you can add all needed configuration directives to make it fit your needs. Simply couch your needs in terms, google it and have a look at the Apache documentation to find the needed directives.
Some additional hints:
- Directives to use within a vHost or global config:
#SSL/TLS SSLEngine On SSLCertificateFile /etc/apache2/ssl/example.crt SSLCertificateKeyFile /etc/apache2/ssl/example.key
See also
Weblinks
Apache TLS/SSL
Debian/Apache HOWTO
– this page provides good information about TLS/SSL, beside much basic knowledge.
TLS/SSL in general
- Overclocking SSL (Google) – “SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more.”