Mac OS X 10.6 – Setting up Apache 2.2 and SSL

Note that is part of another article that I have written. See here.

Mac OS X and SSL – Getting SSL running for Development purposes

Someone asked me the other day how to setup SSL on Mac OS X 10.6.

My answer: I have an idea but haven’t done it.

Here’s how I did it.

First of all, know that you need to have mod_ssl compiled with Apache 2.2 (in my case I have Apache/PHP installed via MacPorts. See here.) None of the steps below will be at all useful if mod_ssl is not installed.

Here are the resources that I used:

1. Apple write-up –

2. Macworld – Similiar to Apple write-up

There are two parts to this:

1. Creating the self-signed certificates and keys for mod_ssl and Apache to use

2. Configuring Apache to work with mod_ssl, the certificates and keys

================================

Self-signed certificates

================================

1. Create a directory on the Desktop called ‘KeyGen’

2. Start the Terminal application

3. In Terminal enter: cd ~/Desktop/KeyGen

4. The next step is to create a RSA Private key. The process will ask for a passphrase. During the process enter the passphrase and DON’T LOSE IT.

5. Create a RSA private key by using Terminal and entering: openssl genrsa -des3 -out server.key 1024

6. Create a Certificate Signing Request. This would normally go to a Certificate Authority.

In our case we are self-signing. The process of creating this request requires that you fill in information.

The most important bit of information to fill in is the ‘Common Name’.

This is the ‘Common Name’ of the server at THIS point in the process.

So, for instance, the ‘Common Name’ could be ‘127.0.0.1’ or it could be ‘localhost’. Those are distinct and unique names. Pick one, use it and remember that you used it.

I selected ‘127.0.0.1’.

7. To create the CSR enter into Terminal: openssl req -new -key server.key -out server.csr

8. Here’s the list of information that is requested:

Country Name (2 letter code) [AU]: (enter your country code here)

State or Province Name (full name) [Some-State]: (Enter your state here)

Locality Name (eg, city) []: (enter your city here)

Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)

Organizational Unit Name (eg, section) []: (enter something here)

Common Name (eg, YOUR name) []: (this is the important one)

Email Address []: (your e-mail address)

Here is what I entered:

Country Name (2 letter code) [AU]:

USState or Province Name (full name) [Some-State]: MI

Locality Name (eg, city) []: Birmingham

Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company

Organizational Unit Name (eg, section) []: <<blank>>

Common Name (eg, YOUR name) []: 127.0.0.1

Email Address []: me@example.com


9. Now we need to create the Certificate Authority that will then allow us to sign the key.

In Terminal enter:
openssl genrsa -des3 -out ca.key 1024

Enter in a passphrase. I used the same one from above. If you use something different remember it.

10. Time to create the self-signed CA Certificate. You’ll be using the RSA key you just made.

In Terminal enter:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

NOW…you’ll be asked for the passphrase and then you’ll be asked to fill in some information…just like above.

This one is a bit different. The Common Name this time will be YOUR name and NOT the server name/ip address.

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MI

Locality Name (eg, city) []:Birmingham

Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company

Organizational Unit Name (eg, section) []:<<blank<>

Common Name (eg, YOUR name) []: My Name

Email Address []:me@example.com

11. Signing the server.key file with the ca.crt

As we have been progressing through the steps above files have been created in the directory we defined at the beginning of the steps…that is: ~/Desktop/KeyGen.

The next step is to sign the server.key with the ca.crt file.

We need a script to do this. That scripts name is ‘sign.sh’.

The script MIGHT be on your machine but I doubt it. So you need to go get it.

In my case I downloaded the source for mod_ssl for Apache 1.3 (Here: http://www.modssl.org/). Once the source was downloaded I looked into the following path: mod_ssl(version number)/pkg.contrib/sign.sh.

Copy the sign.sh file into the ‘KeyGen’ directory on your desktop.

Run the following command. The first will make the sign.sh file executable and the second will run the script and use the server.csr file.

In the Terminal App (don’t include the ‘Command 1:’ and ‘Command 2:’ text:

Command 1: chmod +x sign.sh

Command 2: ./sign.sh server.csr

A bunch of information will start to appear in the Terminal window.

Enter in your passphrase.

Sign the certificate by pressing the ‘y’ key.

Commit the changes by pressing ‘y’ when asked to.

================================

Setting up Apache 2.2

================================

In the above steps we created the keys and certificates necessary for using SSL with Apache.

The following is a very simple set of steps to get things running.

NOTE: NONE of this setup is for a PRODUCTION server.

1. Move the contents of the KeyGen directory into a accessible location.

My local setup looks something like ‘/opt/local/’ with ‘/opt/local/etc’

What I did is create a directory called ‘httpd’ in the ‘etc’ directory. I then added another directory inside of that called ‘ssl_key’. So the final path to where I stored things is: ‘/opt/local/etc/httpd/ssl_key/’

Copy the contents of the ‘KeyGen’ directory into ‘/opt/local/etc/httpd/ssl_key/’

2. Edit the httpd.conf file
In my case I did two very simple things:

a. Since I compiled Apache with mod_ssl I had the following line in my httpd.conf file: Include conf/extra/httpd-ssl.conf

Uncomment that line by removing the # in front of it.

b. Navigate to the following path: /opt/local/apache2/conf/extra/httpd-ssl.conf

Apache needs to know where the SSL cert is. Find this line: SSLCertificateFile. The default will be something like: SSLCertificateFile “/opt/local/apache2/conf/server.crt.

Change the path to match the location of your server .crt file. In my case the path is something like:
SSLCertificateFile “/opt/local/etc/httpd/ssl_key/server.crt”

We need to tell Apache to listen for SSL connections. Add the following line under the listen command: Listen 443

c. SSL Session CacheLastly we need to tell SSL where to cache session information.

Look for this directive: Inter-Process Session Cache

Change this line ‘SSLSessionCache “dbm:/opt/local/apache2/logs/ssl_scache” so that it is NOT commented out.

================================

Testing

================================

1. Starting and Stopping Apache2

a. Start: /opt/local/apache2/bin/apachectl -k start

b. Stop: /opt/local/apache2/bin/apachectl -k stop

c. Restart: /opt/local/apache2/bin/apachectl -k restart

2. Where to look for errors:Apache will log errors into the ‘error_log’ file located at ‘/opt/local/logs/apache2/error_log’

The only error that I ran into was this one: Invalid method in request

It had to do with the way that I had the .conf file setup. If you get that error take a look at the .conf files.

3. Hitting the server

a. After you have made your .conf file changes restart the server

b. Go to a browser and type in: http://127.0.0.1:443

c. You’ll get a request about the cert. Press ok.

d. You should see in the browser a little lock indicating that the browser is running in secure mode.

 

Leave a Reply

Your email address will not be published. Required fields are marked *