Configuring Mutual SSL on Apache HTTP Server

This section explains the steps to enable mutual SSL on Apache HTTP server.

Enabling the mutual SSL requires Apache HTTP server with mod_ssl module.

To use the mod_ssl module with Apache HTTP server, ensure that the following tasks are completed:

Prerequisites

  • OpenSSL is installed on the Apache server's host computer.
  • An RSA private key in PEM format is available to be used by the Apache HTTP server.
  • A digital certificate in PEM format is available that identifies the Apache HTTP server and includes the public key that corresponds to the Apache HTTP server’s private key. To ensure the integrity of the certificate, it must be signed by a party that every client trusts. For details, see Generate Private Keys And Public Certificates with OpenSSL.

To configure mutual SSL on the Apache HTTP server, follows these steps:

Procedure

  1. Ensure that the mod_ssl module is available and enabled on the Apache HTTP server installation. To enable the mod_ssl module, follow these steps:
    1. Open the APACHE_HOME/conf/httpd.conf file for editing.
    2. Uncomment the following directive in the httpd.conf file, if commented. If this directive does not exist, add it in the file:

         LoadModule ssl_module APACHE_ROOT/modules/mod_ssl.so

      where APACHE_ROOT is the actual path of the Apache HTTP server installation which must be SSL enabled.

    3. Uncomment the following line in the file:

      #Include conf/extra/httpd-ssl.conf

    4. Save the changes in the file.
  2. Open the APACHE_HOME/conf/extra/httpd-ssl.conf file for editing.
    1. Set the values for the specified directives (if not already set), as follows:

      SSLEngine on

      SSLCertificateFile "Name_of_Server_public_certificate"

      SSLCertificateKeyFile "Name_of_Server_private_key"

      SSLCACertificateFile Name_of_CA_Certificate

      SSLVerifyClient require

      SSLVerifyDepth 1

      For example, the following are the example values: 

      SSLCertificateFile "C:\apache2\conf\server.crt"
SSLCertificateKeyFile "C:\apache2\conf\server.key"
SSLCACertificateFile "C:\apache2\certs\myrootca.crt"
      Note:
      • For details on each of the SSL specific properties, refer to the Apache HTTP server SSL documentation.
      • The value of SSLVerifyDepth is set to 1 as you are doing only one level of authentication. You have configured only one CA which is the root CA.
    2. Set the Listen directive if you want to change the default port value for the SSL requests:

      Listen listening_port_value

      • The default port for SSL/TLS requests on the Apache HTTP server side is 443. The regular Apache server listens on the port 80 so there is no conflict between a regular Apache listening on port 80 and an SSL/TLS enabled Apache listening on port 443. Both HTTP and SSL/TLS enabled can run with the same Apache server instance, usually by defining separate virtual hosts listening on port 80 and port 443 to separate the virtual servers.
      • You can access the machine using the http://<machine-name>:443/../..when the default port as 443 is used. If the port is changed to 8443, the access link is: http://<machine-name>:8443/..
      Note:
      • Ensure that the firewall is open to listening_port_value specified in the Listen directive.
    3. Ensure that the global SSL configuration directives are defined as follows: 
            LoadModule ssl_module C:/apache2/modules/mod_ssl.so
      SSLRandomSeed startup builtin
      SSLRandomSeed connect builtin
      AddType application/x-x509-ca-cert .crt
      AddType application/x-pkcs7-crl .crl
      SSLPassPhraseDialog builtin
      SSLSessionCache "shmcb:c:/apache2/logs/ssl_scache(512000)"
      SSLSessionCacheTimeout 300
      SSLMutex default
    4. Ensure that the SSL related directives are defined as follows and set per virtual host instance basis: 
            SSLEngine on
      SSLProtocol all -SSLv2
      SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
      SSLCertificateFile "Name_of_Server_public_certificate"
      SSLCertificateKeyFile "Name_of_Server_private_key"
      Note: Ensure that you have copied the private key and the server’s digital certificate in the directories specified in the SSLCertificateFile and SSLCertificateKeyFile directives.
  3. Save the changes made to the APACHE_HOME/conf/extra/httpd-ssl.conf file.
  4. Import the CA certificate as specified in the SSLCACertificateFile directive of the Apache Server configuration.
  5. Verify that the SSL configuration is working.
    1. Open a web browser window.
    2. Enter the following URL to verify connection to Apache HTTP server. 
            http://machine_name:listening_port_value

      For example,

      http://<machine-name>:8443

    3. Verify that the connection to the Apache HTTP server is successful.
    Note: When you invoke a secure connection to the Apache server for the first time using HTTP or HTTPS transport, the browser displays a message indicating that the server presented is an untrusted certificate. Accept the certificate by clicking Yes and the following message should be displayed: "it works!".