I gave a brief about things to know on Secure Socket Layer(SSL) in my last post. This post is related to setting up a local SSL server for development or testing. This will also get you started with OpenSSL, which is a secure software library.
Now we know that we need a Certificate to setup a secure channel and this certificate should have a public key cryptosystem. Mac OS, already comes with the installation of OpenSSL and for windows you can download from this source : https://www.openssl.org/source/
If required you can upgrade the OpenSSL Library using Homebrew or Ports.
We can either use a certificate generated by a secure Certificate Authority or we can generate our own using SSL for testing. Create a new directory to store the output and navigate to the directory using terminal or cmd. This command will generate a self signed certificate:
openssl req \
-newkey rsa:2048 -nodes -keyout ssl.key \
-x509 -days 365 -out ssl.crt
Public Key Cryptography Standards#10 certificate request and certificate generating utility.
This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.
This option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size. (Bigger the size of the key, slower will be the algorithm, In this case I am using 2048 bits, you can also use 4096 bits)
This gives the filename to write the newly created private key.
This specifies the output filename to write to or standard output by default.
When the -x509 option is being used this specifies the number of days to certify the certificate i.e the validity(The default is 30 days and I am using 365)
If this option is specified then if a private key is created it will not be encrypted.
Enabling SSL in Apache Server
The mac operating system comes with installation of Apache Server. On windows you install Apache Server. Now to setup the SSL , We need to modify httpd.conf located at:
To modify the httpd.conf file we will use nano text editor. You might need to give root permissions to the commands, so just add “sudo” in front of them.
$ cd /etc/apache2/
$ sudo nano httpd.conf
Find the following lines and uncomment it. Just in case you are not sure, comments have a leading pound/hash symbol ( # ) – just remove it.
LoadModule ssl_module libexec/apache2/mod_ssl.so
Save the file using ctrl+X and type ‘yes’ and press return.
The last step is to configure httpd-ssl.conf which is located at:
To modify the httpd-ssl.conf file we will again use nano text editor.
$ cd /etc/apache2/extra
$ sudo nano httpd-ssl.conf
Add the following NameVirtualHost directive :
You can specify your own port number. The default is 443
Also configure your default virtualhost :
SSLProtocol all -SSLv2
You can either copy the cert and key to the directory or specify your own directory for Certificate file and Key file.
Additional Virtual Host setup (not required for test server):
To setup a new virtualhost, enable ssl in your vhost directive :
Options FollowSymLinks Indexes
SSLProtocol all -SSLv2