HTTPS and Apache with SSL

Okay, I don't like writing guides and I'm sure there are better ways to accomplish this and I'm sure the content could be better but as they say patches are welcome.
I try not to be overly technical and as a result may be glib or skip over some things on occasion. Basically I'm apathetic and don't care.

HTTPS is a secured version of the HTTP Protocol it is an acronym which stands for Hypertext Transfer Protocol over Secure Socket Layer. It is identically to HTTP syntax and command wise and operates on port 443. HTTPS encrypts its communication with certificates.
HTTPS uses a Public Key Infrastructure, it requires two keys for it to encrypt communication, one key is public and known to all the other a private key known only to the recipient.
In an HTTPS conversation the browser checks the certificate to make sure that site is who it says it is. Then both the browser and server determine the best interim encryption type the browser can use so that the most secure communication can be established with both still understanding each other - this is used until PKI communication can be established. After this the browser and server each send unique information to use when encrypting data and PKI communication is now established and data can be sent, there are some caveats and individual configuration options.
Essentially though, the elaborated standard handshake process would be as such:

• The handshake is used to synchronise the server and client with encryption methods and keys that will be used for the conversation.
  • The initiating web browser sends its available encryption methods. This contains the type of encryption, random data to use when encrypting along with other SSL information.
  • The server then sends its SSL certificate, public key and its own random data
  • The browser checks the certificates expiration, authority and information received from the server regarding the domain.
  • At the browser what is called a premaster secret is created, it is a random key conforming to all information exchanged before. This is then sent to the server.
  • Both the browser and server now create a master secret and it is used to create sessions keys. These keys are used to encrypt and decrypt communication.
  • With the master secret established browser and server authenticate all previously exchange information.
  • The browser then tells the server it will begin using the new session key and verifies that the server has finished its part in establishing encryption.
  • The server then tells the browser it will begin using the new session key and verifies that the browser has finished its part in establishing encryption.
  • The encryption process has now finished the secure communication can begin.
     

Many steps in this guide can be done in other ways, the particular ones used ,I have chosen for various reasons but those reasons are beyond the scope of this guide and will not be explained in too much detail. I will also make the guide accessible by using the easiest, most user friendly methods (editor etc) I will try to be concise as required and not go into too much detail as I have a tendency of doing.
The particular system I am writing this guide from has an IP address of 10.0.0.137 and a hostname of linux37.
From a Debian Etch system where everything else has been configured correctly, networking, hosts aliases etc. do the following:

1. From a root prompt or with root access type the following apt-get install apache2 openssl ssl-cert Although some of the packages may already be installed this will ensure they are up-to-date. When prompted to install any extra packages choose yes.
2. Using your preferred editor open /etc/apache2/apache2.conf If you have no preferred editor gedit /etc/apache2/apache2.conf then anywhere in the file insert the following, each on a new line making changes as required ServerName localhost, ServerName "127.0.0.1" , ServerName "10.0.0.137" These entries define the servers name and will remove any errors about Apache not being able to determine it. This is the only change made to the apache.conf file. Insert your own details as required.

3. We will now create the root directories for both the HTTP and HTTPS sites issue the following command mkdir /var/www/http /var/www/https these directories will store the respective sites and you can copy your test files into each. in my case two files each named index.html.

4. Before creating the HTTPS site we will get the HTTP site up and running. from a root terminal and using your preferred editor edit /etc/apache2/sites-available/default edit the file with your appropriate configuration. In my case the file looks as such.

NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/www/http/
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
deny from all
</Directory>
<Directory /var/www/http/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
 
This is a virtual host configuration file and in many ways the format could be compared to XML or HTML tags. Many of the options in this file are self explanatory and can be understood just by skimming the documentation; I will not elaborate them here.

5. Before configuring SSL we need to generate the appropriate keys and certificates.
    
   1. The first step is to set up the CA. The CA allows you to sign an SSL certificate so that anyone who has the necessary CA data can verify its integrity. From a root terminal issue the following command to generate the CA key openssl genrsa -des3 -out my-ca.key 2048 You will be prompted for to answer various questions regarding the certificate, owner, organisation etc I won't go into detail.
       
   2. We now create the CA certificate from a root terminal issue the following command openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt again you will be prompted to answer questions.
       
   3. To generate a server certificate we first need to generate a certificate signing request to pass to the CA. The signing request is then signed by the CA to create the certificate. from a root terminal issue the following command, answering any questions appropriately openssl req -new -out server.csr
       
   4. Now we created the server key using the private key without a password, we do this so that we are not prompted for the password every time the server is rebooted. from a root terminal issue the following command, answering any questions appropriately openssl rsa -in privkey.pem -out server.key
       
   5. Finally we sign the server certificate request with the local CA key to create the server certificate. from a root terminal issue the following command, answering any questions appropriately openssl x509 -req -in server.csr -out server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
       
6. With the certificates and keys generated they now need to be installed, we begin by setting permissions at a root terminal issue the following command chmod 0400 *.key
    
7. We then create server key and certificate directories, at a root terminal issue the following command mkdir /etc/apache2/ssl.cert /etc/apache2/ssl.key
    
8. Now we copy the keys and certificates across to the server configuration at a root terminal issue the following commands cp server.key /etc/apache2/ssl.key/ cp server.crt /etc/apache2/ssl.cert/ cp my-ca.crt /etc/apache2/ssl.cert/

9. The SSL module must now be enabled and the server reloaded from a root terminal issue the following commands a2enmod ssl, /etc/init.d/apache2 force-reload

10. We now need to configure the SSL sites virtualhost from a root terminal edit the following file /etc/apache2/sites-available/ssl if the file has any contents replace them with the following.

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot /var/www/https/
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
deny from all
</Directory>
<Directory /var/www/https/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.cert/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.cert/my-ca.crt
SSLCACertificateFile /etc/apache2/ssl.cert/my-ca.crt
</VirtualHost>
 
This file is similar to the previous virtual host configuration with the only differences being the port to listen on, the document root and the points to the keys generated.

11. The final step in configuring SSL is to enable the site with the following command issued as root a2ensite ssl

Some sources seem to incorrectly advise you to edit the ports.conf file but these settings are taken care of via the virtual host configuration. Others recommend that you edit etc/apache2/sites-enabled/ssl to change individual site configures however site-enabled just contains pointers to sites-available and while editing either is correct I prefer pointing to the files location and not being redirected by a link
Apache, HTTP, HTTPS and SSL have all now be successfully configured. When testing You should receive a warning that the SSL certificate offered cannot be validated against a known certificate authority. In order to prevent this you can install your CA certificate (my-ca.crt NOT my-ca.key) into the browser's trusted CA list. Once this is done you can browse the SSL site without warnings appearing. Most large organisations and institutions do this automatically to remove any burden or confusion from the user.
 
Thats it, I'm done. Again edits or improvements welcome