I've done this successfully using a script I wrote a while back. One of the gotchas seems to be that the "Common Name" should be the server name (or static IP number if you don't have one). This must match the ServerName directive in httpd.conf.
#! /bin/bash
echo; echo -e "Generating Certificate Authority (CA) [1]:"
openssl genrsa -des3 -out ca.key 4096
echo; echo -e "Generating Certificate Authority (CA) [2]:"
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
echo; echo -e "Generating Server Key:"
openssl genrsa -des3 -out server.key 4096
echo; echo -e "Generating certificate signing request (CSR):"
echo -e " ** name entered for Common Name (CN) should match your server name **"
openssl req -new -key server.key -out server.csr
echo; echo -e "Signing CSR with CA:"
openssl x509 -req -days 365 -in server.csr -CA ca.crt \
-CAkey ca.key -set_serial 01 -out server.crt
echo; echo -e "Making insecure version of server.key for apache startup"
openssl rsa -in server.key -out server.key.insecure
echo; echo -e "Renaming server secure/insecure keys"
mv server.key server.key.secure
mv server.key.insecure server.key
sudo cp server.key /etc/apache2/server.key
sudo cp server.crt /etc/apache2/server.crt
Still seems to work...
In order to get apache to use the ssl certificates it's necessary to change httpd.conf
First uncomment the LoadModule line to get ssl_module to load:
LoadModule ssl_module libexec/apache2/mod_ssl.so
Uncomment the line in httpd.conf to get the httpd-ssl.conf file loaded:
Include /private/etc/apache2/extra/httpd-ssl.conf
Now make some changes to httpd-ssl.conf. This file is in the extra/ directory.
Set the ServerName correctly (and the ServerAdmin email address, if you like)
ServerName name.of.your.server:443
ServerAdmin email.address@nowhere.com
Set the SSLCertificateFile and SSLCertificateKeyFile to the correct file paths:
SSLCertificateFile "/private/etc/apache2/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/server.key"
And that should be it. Try loading https://localhost in a web browser. Check the logs if there's a problem.
No comments:
Post a Comment