Gentoo Wiki


Note: Because of a limitation of MediaWiki the title is not correct. It should read: Apache Modules: mod_ssl

Apache2 Series



Addons & Tunnels





Getting Started

When installing Apache2, mod_ssl is included with the installation as long as you have the "ssl" use flag enabled for apache. You can check if the USE flag is enabled, by running emerge -pv apache. If ssl is highlighted in red, you are good to go. If not, either alter your USE flags in /etc/make.conf or /etc/portage/package.use. For more information about altering your USE flags, read the appropriate section in the handbook.

SSL Keys

Here you have a choice : you can either use a certificate issued by a third party like Thawte or VeriSign (you might also want to check out TIP SSL certificates). This is recommended for broad public internet use. Generated keys (also referred as self signed certificates) are generally used for development, testing or internal use. If your certificates were supplied to you, then just place them in the /etc/apache2/ssl directory.

For more detailed information regarding certificate generation, take a look at an SSL Certificate with Apache+mod_ssl.

Creating a Self-Signed Certificate

First, we need to generate a random key with the following command:

$ openssl genrsa -des3 -out server.key 1024

At this point, a certificate created this way would force Apache to ask for the passphrase at each startup. If you don't want Apache to prompt you for a passphrase every time you start or restart it, remove the "-des3" option as shown in the next example.

$ openssl genrsa -out server.key 1024

The next step is to create a key file with the passphrase removed.

$ openssl rsa -in server.key -out server.pem

Now we need to use this key to generate a certificate request file.

$ openssl req -new -key server.pem -out server.csr

With this certificate request file, we can now generate ourselves a brand new self signed certificate. The command below generates a certificate which is valid for 365 days. The default value is 30 days without the "-days [number]" option.

$ openssl x509 -req -days 365 -in server.csr -signkey server.pem -out server.crt
Note: The preceding steps allow you to more easily transition to a certificate signed by a Certificate Authority by saving the certificate request and the key stripped of passphrase into separate files. If you just need a certificate/key pair for encryption and don't foresee needing any validation you can use the following one-line command to generate a server key and certificate file:
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout mysql-client.key -out mysql-client.crt
Warning: Always remember that anyone with access to the key file associated to a certificate can assume the identity associated with that certificate. These private key files should only be readable by users who can validly use the certificate! In most cases only root should have access!

Configuring Apache to use your Certificate/Key Pair

In the configuration file for your SSL host (usually /etc/apache2/vhosts.d/00_default_ssl_vhost.conf), make sure the following directives are set, where server.key and server.crt are your respective private key and certificate files (assuming they are in /etc/apache2/ssl/):

File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Enabling mod_ssl

As stated in the Apache2 install guide, to enable mod_ssl on your Apache2 server, simply add the "-D SSL -D SSL_DEFAULT_VHOST" options to the APACHE2_OPTS statement in /etc/conf.d/apache2.

Restart the Apache server and check everything's working correctly.

# /etc/init.d/apache2 restart

Automatic Redirect

Should you wish to redirect all incoming traffic through SSL (i.e. goes to, extend your virtual host config files with these rewrite rules.

File: /etc/apache2/vhosts.d/00_default_vhost.conf
<VirtualHost *:80>


    # Redirect to SSL
        RewriteEngine On
        RewriteCond %{HTTPS} !on
        RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
Warning: Use these rewrite rules only in non-SSL hosts (i.e. *:80)! Failure to do otherwise will result in SSL-enabled hosts getting caught in an endless loop self-redirection.

Changing the SSL Port

To change the port SSL runs on you will need to edit the configuration files for your SSL hosts (usually /etc/apache2/vhosts.d/00_default_ssl_vhost.conf). The following configuration example assumes you want SSL to run over port 8443.

File: /etc/apache2/vhosts.d/00_default_ssl_vhost.conf
<IfModule ssl_module>
# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen"
Listen 8443

# Use name-based virtual hosting.
NameVirtualHost *:8443

<VirtualHost *:8443>

SSL Enabled, Name Based Virtual Hosts

Historically, SSL enabled virtual hosts had been impossible. Now, SSL enabled, name based virtual hosting is possible with SNI. Read HOWTO SSL Enabled, Name Based Virtual Hosts with Apache for more information.

Retrieved from ""

Last modified: Sun, 31 Aug 2008 04:21:00 +0000 Hits: 47,838