Creating a Certificate
make has finished building Apache, it will print out
a message that reads, in part:
Before you install the package you now should prepare the SSL certificate system by running the 'make certificate' command.
In order to use secure sockets with our Apache build, we'll need to
create or set up the certificate and key that will be used to encrypt and
certify the secure communications. The simplest option, and the one that
makes the most sense if you're just getting started working with mod_ssl
in a development environment, is to use the
to create a dummy certificate suitable for a non-production setting. If
you're planning to use your Apache/mod_ssl server to develop Internet
applications, this is the easiest option for getting up and running:
% make certificate TYPE=dummy
In a production setting, it makes more sense to purchase a signed
certificate from a known certificate authority such as
VeriSign or GeoTrust. In that case, you'll want to
TYPE=existing option along with the
KEY options to configure your new Apache build to use the
certificate and keys provided by your certificate authority:
% make certificate TYPE=existing \ CRT=/path/to/server.crt \ KEY=/path/to/server.key
And finally, if you'd like to create your own, self-signed certificate,
you can use the
TYPE=custom option. This option will prompt
you to answer a series of questions and will create a new custom
certificate for you. Note that it will ask for much the same information
twice -- once for the Certificate Authority (CA) and once for the server
certificate. Just be sure to enter different values for the
"Organization Unit Name" for each, as the certificate authority
and the owner of the server certificate cannot have the same
organizational unit name. You will also be prompted to encrypt the
certificate and key.
In general, it's a good idea to encrypt them in a multi-user environment. But in a controlled environment where only trusted users have access to the server (such as the majority of Mac OS X computers), it's not necessary to encrypt the keys. If you do decide to encrypt the keys, note that you will be prompted to enter a passphrase every time you start the Apache/mod_ssl server. Refer to the mod_ssl manual for more information.
Once you've finished configuring and building Apache and you've created and configured your SSL certificate, you can install Apache. Note that if you have an existing custom installation of Apache (because, for example, you built it according to the instructions in part one of this article), that version will be overwritten when you install the new build. I therefore recommend that you first move your existing Apache build out of the way.
% sudo mv /usr/local/apache /usr/local/apache.saf % sudo make install % cd ..
Following my own advice, I first move my existing Apache build out of
the way by renaming the directory in which it is stored from
install installs the new build.
Testing Your New Apache Build
Yep, that was it. The new build of Apache with mod_ssl should be
completely installed in
/usr/local/apache. A quick test
confirms that the installation was successful:
% sudo /usr/local/apache/bin/apachectl configtest Syntax OK
We use the same command as in part one to make sure that Apache can load its configuration file without error. And again, we can try running Apache and connecting from a web browser. Execute this command:
% sudo /usr/local/apache/bin/apachectl start /usr/local/apache/bin/apachectl start: httpd started
Now fire up your favorite browser and type in your Mac's name ("localhost" will probably work fine). If you see a page that starts with, "Hey, it worked!", then you know that Apache was successfully installed and works on your Mac.
Finally, we want to test the mod_ssl interface to make sure that it's
working properly. Apache makes it very simple to use mod_ssl by providing
startssl startup command to
% sudo /usr/local/apache/bin/apachectl stop /usr/local/apache/bin/apachectl stop: httpd stopped % sudo /usr/local/apache/bin/apachectl startssl /usr/local/apache/bin/apachectl startssl: httpd started
Now point your browser to your Mac again and check for "Hey, it worked!" This demonstrates that Apache is still working as normal. Now change the scheme for the URL in your browser from "http" to "https" to connect via SSL. If you've configured Apache/mod_ssl to use a certificate from a known certificate authority, you should be able to connect and see the same page as before. If you created a custom certificate, you will likely be prompted by your browser with a message to the affect of "This site has an identity that cannot be verified." Just agree to connect, since you can probably trust yourself. And if you created a dummy certificate, your browser may prompt you multiple times. Mine offered each of the following prompts in sequence:
- This site is using an expired certificate.
- This site has an identity that cannot be verified.
- There is a problem with this site's security certificate. It may be invalid, expired, or not registered with a trusted authority.
Just accept each of them and ultimately you should see the same test page as before
What if the browser gave you a "connection refused" error? This is more than likely because you neglected to move your old Apache build out of the way. Well, even the best of us sometimes don't follow our own good advice. The new build of Apache has created a new configuration file, but did not replace your existing configuration file. So all you need to do to get your new mod_ssl build of Apache to server via SSL is to swap the configuration files:
% sudo /usr/local/apache/bin/apachectl stop /usr/local/apache/bin/apachectl stop: httpd stopped % sudo mv /usr/local/apache/conf/httpd.conf \ /usr/local/apache/conf/httpd.conf.old % sudo mv /usr/local/apache/conf/httpd.conf.default \ /usr/local/apache/conf/httpd.conf % sudo /usr/local/apache/bin/apachectl startssl /usr/local/apache/bin/apachectl startssl: httpd started
Now try to connect to your new Apache/mod_ssl server via "https", and say hello to the friendly default page with its "Hey, it worked!" message.
Rejoice. Your Apache with mod_ssl is now ready for use.