Gentoo Wiki


Prerequisites: Modules in Apache2 are controlled by


Edit that file and add


to your "APACHE2_OPTS" if it doesn't already exist. The resulting line may look something like this:


Set up your virtual host definition. As I understand it you can only have 1 https site per IP address in /etc/apache2/vhosts.d/00_default_vhost.conf

<VirtualHost *:443>
DocumentRoot /var/www/domainname/htdocs
 CustomLog     logs/domainname.log  clf
  SSLEngine  On
  SSLCertificateFile     /etc/apache2/ssl/server.crt
  SSLCertificateKeyFile  /etc/apache2/ssl/server.key
Note: On newer installations of Apache2 (version?) you will find server.crt and server.key pre-generated in /etc/apache2/ssl/

restart apache and then check it is listening on port 443

/etc/init.d/apache2 restart
 * Stopping apache2 ..                                                                     [ ok ]
 * Starting apache2 ... 

# netstat -tpan | grep 443
tcp  0   0*   LISTEN  30903/apache2

generate a key

#  openssl req -new > new.cert.csr

it asks you some questions

  1. Common name is your FQDN
  2. add a passphrase - it will get removed later
Generating a 1024 bit RSA private key
writing new private key to 'privkey.pem'
Enter PEM pass phrase: XXXXXXXXXXXXXXX
Verifying - Enter PEM pass phrase:XXXXXXXXXXXXXXX
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

remove the passphrase from the key (optional):

openssl rsa -in privkey.pem -out new.cert.key

convert request into signed cert:

openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 1825

copy the key files to the correct place

#  cp new.cert.cert /etc/apache2/ssl/server.crt
#  cp new.cert.key /etc/apache2/ssl/server.key


If you are getting that "some data may have been transferred" error, it is because apache is listening on port 443, but doesn't have the SSLEngine turned on. If you run

 'openssl s_client -host localhost -port 443' 

it will attempt to make an SSL connection to You can then type :

GET / HTTP/1.0

and you should get the webpage

Retrieved from ""

Last modified: Thu, 04 Sep 2008 05:58:00 +0000 Hits: 5,268