oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Build Your Own Apache Server with mod_perl and mod_ssl
Pages: 1, 2, 3, 4

Creating a Certificate

Once make has finished building Apache, it will print out a message that reads, in part:

Before you install the package you now should prepare the SSL certificate system by running the 'make certificate' command.

In order to use secure sockets with our Apache build, we'll need to create or set up the certificate and key that will be used to encrypt and certify the secure communications. The simplest option, and the one that makes the most sense if you're just getting started working with mod_ssl in a development environment, is to use the TYPE=dummy option to create a dummy certificate suitable for a non-production setting. If you're planning to use your Apache/mod_ssl server to develop Internet applications, this is the easiest option for getting up and running:

% make certificate TYPE=dummy

In a production setting, it makes more sense to purchase a signed certificate from a known certificate authority such as VeriSign or GeoTrust. In that case, you'll want to use the TYPE=existing option along with the CRT and KEY options to configure your new Apache build to use the certificate and keys provided by your certificate authority:

% make certificate TYPE=existing \
  CRT=/path/to/server.crt \ 

And finally, if you'd like to create your own, self-signed certificate, you can use the TYPE=custom option. This option will prompt you to answer a series of questions and will create a new custom certificate for you. Note that it will ask for much the same information twice -- once for the Certificate Authority (CA) and once for the server certificate. Just be sure to enter different values for the "Organization Unit Name" for each, as the certificate authority and the owner of the server certificate cannot have the same organizational unit name. You will also be prompted to encrypt the certificate and key.

In general, it's a good idea to encrypt them in a multi-user environment. But in a controlled environment where only trusted users have access to the server (such as the majority of Mac OS X computers), it's not necessary to encrypt the keys. If you do decide to encrypt the keys, note that you will be prompted to enter a passphrase every time you start the Apache/mod_ssl server. Refer to the mod_ssl manual for more information.


Once you've finished configuring and building Apache and you've created and configured your SSL certificate, you can install Apache. Note that if you have an existing custom installation of Apache (because, for example, you built it according to the instructions in part one of this article), that version will be overwritten when you install the new build. I therefore recommend that you first move your existing Apache build out of the way.

% sudo mv /usr/local/apache /usr/local/apache.saf
% sudo make install
% cd ..

Following my own advice, I first move my existing Apache build out of the way by renaming the directory in which it is stored from apache to apache.saf. Then, make install installs the new build.

Testing Your New Apache Build

Yep, that was it. The new build of Apache with mod_ssl should be completely installed in /usr/local/apache. A quick test confirms that the installation was successful:

% sudo /usr/local/apache/bin/apachectl configtest
Syntax OK

We use the same command as in part one to make sure that Apache can load its configuration file without error. And again, we can try running Apache and connecting from a web browser. Execute this command:

% sudo /usr/local/apache/bin/apachectl start
/usr/local/apache/bin/apachectl start: httpd started

Now fire up your favorite browser and type in your Mac's name ("localhost" will probably work fine). If you see a page that starts with, "Hey, it worked!", then you know that Apache was successfully installed and works on your Mac.

Testing mod_ssl

Finally, we want to test the mod_ssl interface to make sure that it's working properly. Apache makes it very simple to use mod_ssl by providing the startssl startup command to apachectl:

% sudo /usr/local/apache/bin/apachectl stop 
/usr/local/apache/bin/apachectl stop: httpd stopped
% sudo /usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl startssl: httpd started

Now point your browser to your Mac again and check for "Hey, it worked!" This demonstrates that Apache is still working as normal. Now change the scheme for the URL in your browser from "http" to "https" to connect via SSL. If you've configured Apache/mod_ssl to use a certificate from a known certificate authority, you should be able to connect and see the same page as before. If you created a custom certificate, you will likely be prompted by your browser with a message to the affect of "This site has an identity that cannot be verified." Just agree to connect, since you can probably trust yourself. And if you created a dummy certificate, your browser may prompt you multiple times. Mine offered each of the following prompts in sequence:

  • This site is using an expired certificate.
  • This site has an identity that cannot be verified.
  • There is a problem with this site's security certificate. It may be invalid, expired, or not registered with a trusted authority.

Just accept each of them and ultimately you should see the same test page as before

What if the browser gave you a "connection refused" error? This is more than likely because you neglected to move your old Apache build out of the way. Well, even the best of us sometimes don't follow our own good advice. The new build of Apache has created a new configuration file, but did not replace your existing configuration file. So all you need to do to get your new mod_ssl build of Apache to server via SSL is to swap the configuration files:

% sudo /usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl stop: httpd stopped
% sudo mv /usr/local/apache/conf/httpd.conf \
% sudo mv /usr/local/apache/conf/httpd.conf.default \
% sudo /usr/local/apache/bin/apachectl startssl
/usr/local/apache/bin/apachectl startssl: httpd started

Now try to connect to your new Apache/mod_ssl server via "https", and say hello to the friendly default page with its "Hey, it worked!" message.

Rejoice. Your Apache with mod_ssl is now ready for use.

Pages: 1, 2, 3, 4

Next Pagearrow