D
Enabling SSL for Apache

This appendix describes the method of enabling SSL for Apache. The following topics guide you through the necessary steps:

• Generate the Certification Request

• Modify httpd.conf File to Enable SSL

Generate the Certification Request

Perform the following steps to generate a certificate request:

1. Make the following changes to the openssl.cnf file to generate the certificate request:

   #
   
   #OpenSSL example configuration file
   #This is mostly being used for generation of certificate requests.
   #
   
   #This definition stops the following lines choking if HOME isn't defined.
   HOME =
   RANDFILE=$ENV::HOME/.rnd
   oid_section=new_oids
   
   

   Use the commands below to generate the certification request:

   ...\Apache\open_ssl\bin\openssl md5 *>rand.dat
   ...\Apache\open_ssl\bin\openssl genrsa -rand rand.dat -des3 1024 > key.pem
   ...\Apache\open_ssl\bin\openssl req -new -key.pem -out csr.pem -config 
   openssl.cnf
   
   

   When you run the final command, a certificate request is generated. The following is an example of a certification request:

   Country Name (2 letter code) [AU]: US
   
   State or Province Name (full name)[Some-State]: California
   
   Locality name (eg, city) []: Redwood Shores
   
   Organization Name (eg, company) [Internet Widgits Pty Ltd}: Oracle
   
   Organizational Unit Name (eg, section) []: EITQA
   
   Common Name (eg, YOUR name) []:pdarshan-pc.us.oracle.com
   
   Email Address []: username@oracle.com
   
   

   Please enter the following "extra" attributes to be sent with your certification request:

   A challange password []:
   
   An optional company name []:
   
   

   Be sure to take note of the following:

   • These commands create two files: key.pem and csr.pem (certificate request).

   • For Common Name, include the FULL name of the HOST and DOMAIN you are running the command on.

   • Remember the password you enter. This password is used every time Oracle HTTP Server is started.

2. Send the Certification Request. In the CSR area, paste the certification request from csr.pem file.

3. When you receive the certificate, paste it into a file named portalcert.crt.

   Be sure that you get the Root Trial CA certificate by going to the URL mentioned in the Certificate Authority email. Export that certificate from the browser to a file named rootcacert.crt.

4. Copy the following in appropriate directories:
   • Certificate file portalcert.crt into the ...\Apache\Apache\conf\ssl.crt directory.

   • key.pem file into the ...\Apache\Apache\conf\ssl.key directory.

   • Root Trial CA file rootcacert.crt into the ...\Apache\Apache\conf\ssl.crt directory.

Modify httpd.conf File to Enable SSL

Make the following changes to the httpd.conf file to enable SSL:

1. Port changes: Be sure your entries are similar to the ones in the example below:

   #
   
   # This port is used when starting without SSL
   
   Port 80
   # This port is used when starting with SSL
   
   <IfDefine SSL>
   
   Port 80
   
   Port 443
   
   </IfDefine>
   
   
   
   ##
   
   ##SSL Support
   
   ##
   
   ##When we also provide SSL we have to listen to the standard HTTP port 
   ##(see above) abd to the HTTPS port
   
   ##
   
   <IfDefine SSL>
   Listen 80
   Listen 443
   </IfDefine>
   
   ##
   ##SSL Virtual Host Context
   
   ##
   
   <VirtualHost_default_:443>
   
   

2. SSL Certificate related entries: For Entry for Certificate, search for SSLCertificateFile and make this entry as below pointing to your certificate that came from the certificate authority. This is illustrated in the following example:

   SSLCertificateFile\conf\ssl.crt\portalcert.crt
   
   Entry for Server Private Key
   
   SSLCertificateKeyFile conf\ssl.key\key.pem
   
   Entry for Server Certificate Chain: (The Root Trial CA Certificate)
   
   Entry for Certificate Authority (CA): as below
   
   #Certificate Authority (CA):
   #Set the CA certificate verification path where to find CA 
   #certificates for client authentication or alternatively one 
   #huge file containing all of this (file must be PEM encoded). 
   #Note: Inside SSLCACertificatePath you beed hash symlinks 
   #to point to the certificate files. Use the provided
   #Makefile to update the hash symlinks after changes.
   #SSLCACertificateFile conf\ssl.crt\ca-bundle.crt
   SSLCACertificateFile conf\ssl.crt
   SSLCACertificateFile conf\ssl.crt\rootcacert.crt
   

3. Restart Apache.