C H A P T E R  4

Enabling Apache Web Servers

This chapter explains how to configure and enable the Sun Crypto Accelerator 1000 board for use with Apache Web Servers. This chapter includes the following sections:

Creating a Private Key and Certificate

The following procedure describes how to create the private key and certificate required to enable Apache Web Servers to use the Sun Crypto Accelerator 1000 board. If you already have a private key and certificate, go to Enabling Apache Web Servers.

procedure icon  To Create a Private Key and Certificate

1. Generate an RSA private key in Privacy-Enhanced Mail (PEM) format.

% /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache/ssl.key/server.key 1024

2. Create your PEM passphrase.

This passphrase protects the key material. Be sure to select a strong passphrase, but one that you can remember. If you forget the passphrase, you will be unable to access your keys.

Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

caution icon

Caution - You must remember the passphrase you enter. Without the passphrase, you cannot access your keys. There is no way to retrieve a lost passphrase.

3. Generate the certificate request.

% /usr/sfw/bin/openssl req -new -key /etc/apache/ssl.key/server.key -out /etc/apache/ssl.csr/certreq.csr

4. Create a certificate request using the keys you just created.

You must first enter the passphrase to access your keys. Then provide the appropriate information for the following fields:

The following is an example of how the certificate fields are entered:

Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) []:Fictional Company, Inc.
Organizational Unit Name (eg, section) []:Online Sales Division
Common Name (eg, YOUR name) []:www.fictional-company.com
Email Address []:admin@fictional-company.com
Please enter the following `extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []: Fictional Comany, Inc.

5. Hand off the certreq.csr file to your certificate authority.

6. Once the certificate is signed by the certificate authority, go to the next section to setup the Apache Web Server.

Enabling Apache Web Servers

Apache Web Server and mod_ssl are provided with the Solaris 10 Operating System. The following instructions are for these specific releases of Apache Web Server. Refer to the Apache Web Server documentation for more information.

procedure icon  To Enable the Apache Web Server

1. Create an httpd configuration file.

For Solaris systems, the httpd.conf-example file is usually in /etc/apache. You can use this file as a template and copy it as follows:

% cp /etc/apache/httpd.conf-example /etc/apache/httpd.conf

2. Replace ServerName with your server name in the http.conf file.

3. Save the issued key as /etc/apache/ssl.key/.

4. Save the issued certificate as /etc/apache/ssl.crt/server.crt.

Note - When generating the key and copying the certificate, any cert or key with the same filename is overwritten. Other names can be chosen, the names in this example are defaults. If other names are chosen, the administrator must change the SSLCertificateFile and SSLCertificateKeyFile directives in httpd.conf to point to the new filenames.

5. Start the Apache Web Server.

This example assumes the Apache binary directory is /usr/apache/bin; if this is not the Apache binary directory, type in the correct directory.

% /usr/apache/bin/apachectl startssl

6. Enter you PEM passphrase if prompted for it.

7. Verify the SSL enabled web server with a browser pointing to the following URL:


Note - The default port is 443.

8. Verify that the Sun Crypto Accelerator 1000 Board is being used.

% kstat -n dca0

Verify that the rsaprivate field is being incremented in the statistics.