Configure SSL for Apache2 on Debian 3.1 (sarge)

Authors: Brusten Philip & Van der Velpen Jan
Last modified: Monday, 07-Nov-2005 14:45:41 CET

This small guide describes a simple configuration to use SSL for Apache2 httpd on Debian GNU/Linux 3.1 (Sarge). At this point you should already have a running Apache2 on your Debian system. With some minor modifications you should be able to use this guide for any Apache2 running on any OS.

Configuration

NOTE: if you want to use a self-signed certificate you can run the Debian-specific command apache2-ssl-certificate. It will create a private key and a matching self-signed certificate. Else you should create a private key and a certificate yourself (it is recommended to create a certificate signing request and let a commercial CA sign it so browsers will trust the webserver by default). See this list of SSL commands to do that.
  1. Make a copy of /etc/apache2/sites-available/default in the same directory. Call it something like ssl.
    root# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
  2. Make a symlink to this new site configuration from /etc/apache2/sites-enabled/. Notice that this is already done for default.
    root# ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/
  3. Make apache load and configure the SSL module.
    root# ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/
    root# ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/
  4. Add a Listen 443 directive to /etc/apache2/ports.conf
  5. Now edit /etc/apache2/sites-available/ssl:
    NameVirtualHost *:443
    <VirtualHost *:443>
      SSLEngine On
      SSLCertificateFile /etc/apache2/ssl/apache.pem
     ...
    </VirtualHost>
    
    If you are not using a self-signed certificate (which is highly recommended), then don't forget to add one of these lines so your webserver can send the full certificate chain to the client (this is usually required for a browser/client to trust the server):
    SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
    OR
    SSLCACertificatePath /full/path/to/apache/conf/certs
    
    note: the correct Ben-SSL directive is SSLCACertificateFile or SSLCACertificatePath

Restart Apache2:
root# /etc/init.d/apache2 restart
Restarting apache.

HTTPS should work now. Try: https://hostname/