Saturday, August 20, 2011

Configure apache localhost to use secure HTTP (HTTPS) using mod_ssl

For all those who want to test their website on localhost using the secure HTTP protocol, here is how you can configure apache for testing purpose. I did this on Mac OSX 10.6 using apache 2.2

Guidelines provided at apple are for older version. We'll use them to generate the certificate and then configure apache for newer version.

> mkdir ~/keys
> cd ~/keys
> openssl genrsa -des3 -out server.key 1024
Remember the passphrase you provide here. It will be required in next steps.

> openssl req -new -key server.key -out server.csr
Answers to all questions are straight-forward, except for Common Name: you need to provide 127.0.0.1 (i.e. server name)

> openssl genrsa -des3 -out ca.key 1024
For simplicity, keep the passphrase same as used above

> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
This again asks same Questions as in step 4, but this time for Common Name you can provide any dummy name

Find sign.sh file if you have mod_ssl package downloaded, or else retrieve it from pkg.contrib folder from latest version of package. Copy the sign.sh to "keys" folder and make it executable

>chmod +x sign.sh
>./sign.sh server.csr

Say yes ("y") to the 2 questions

>sudo mkdir /etc/apache2/ssl.key
>sudo cp -r * /etc/apache2/ssl.key/

>cd /etc/apache2/ssl.key/
>sudo cp server.key server.key.original

>sudo openssl rsa -in server.key.original -out server.key

>sudo apachectl stop

>sudo vim /etc/apache2/httpd.conf

* You may want to make a backup before editing this

- Locate and comment out Port directive to listening on 80
*Note - Commenting this line will force to use only https, leave it as is if you want to use both.

- Locate and uncomment the LoadModule ssl_module libexec/apache2/mod_ssl.so

- sudo vim /etc/apache2/extra/httpd-ssl.conf
* Again make a backup before editing

- Change ServerName from www.example.com to 127.0.0.1
- Provide your email id for ServerAdmin

- Under SSLCertification, provide path to our own ssl certificate i.e. SSLCertificateFile "/private/etc/apache2/ssl.key/server.crt"

- Also, set ServerKey with: SSLCertificateKeyFile "/private/etc/apache2/ssl.key/server.key"
- You may also set the other paths as per requirement

> sudo httpd -D SSL
> sudo apachectl start

And you now have https://127.0.0.1 running