Secure Domain: OpenSSL + APACHE2 = HTTPS

We're trying to build UI Blog using WordpressMU. Right now it has been set with reverse dns, with the same FQDN with my blog machine here. So, because I can't access my running blog, I'll just put the detail here. So, I have warned you that the following is for true believers coz it would be godly language to some of you. :))

My first objective is to run a secure websvn for my docs. So, I digged for the capability of Apache using SSL/TLS connection (https). Thanks to Van's Apache SSL/TLS mini-HOWTO, I could figure out an interesting part: creating a good signing scheme. Eventually, another psycho idea pops: to create a PKI. Wow, another one pops: integrate it with UI SmartCard. Yeah, we'll be the first university in Indonesia to do so! Ups, another one pops: create web applications connect it to... ah never mind, it's part of my intellectual properties, hehehe....

Well, the steps (IP-related is not real):

#1 Install basic debian using debootstrap

#> xen-create-image --hostname=svn.ada.deh --ip= --debootstrap --password --boot

The command will give you the guest console so you would be able to login, but if you aren't convenient with that, you just ignore the --boot and start the guest yourself:

#> xm create svn.ada.deh.cfg <-- the cfg prefix is automatically added by xen-tools

Up to this point, it is assumed that we are already in the guest's tty (either via ssh or xen console). Ah, for the sake of complete tutorial (duh, since when this becomes a tutorial? This is a documentation. Well, supposed to... ;P ):

# ssh -l root

#2 Install apache2 and openssl:

# apt-get install apache2 openssl file


#3 Create key + certificate:

# mkdir /etc/apache2/ssl && cd /etc/apache2/ssl
NOTE: you could put your key else where, this is just for the sake of administration.
The key:
#openssl genrsa -des3 -out svn.ada.deh.key 2048

The certificate:
# openssl req -new -x509 -days 3650 -key svn.ada.deh.key -out svn.ada.deh.crt

And the confirmation:
# openssl x509 -in svn.ada.deh.crt -text -noout

#4 Set the Apache:

Enable SSL:
# a2enmod ssl

# echo "Listen 443" >> /etc/apache2.conf
NOTE: https uses port 443.

Create the site, in this example I use /home/sites/secure as the doc root:
# mkdir -p /home/sites/secure
# cat > /etc/apache2/sites-available/ssl << ?
> NameVirtualHost *:443
> ServerName svn.ada.deh
> ServerAdmin orangKeren@ada.deh
> DocumentRoot /home/sites/secure
> Option indexes
> AllowOverride None
> Allow from all
> order allow, deny
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/svn.ada.deh.crt
> SSLCertificateKeyFile /etc/apache2/ssl/svn.ada.deh.key

> ?
I don't know how the typo result, because the Blogger editor errors, but you'll get the point in the three lines containing SSL*.

Enable the sites:
# /etc/init.d/apache2 restart

You'll be prompted with password, insert the passphrase of you key and you'll be fine.

The end.


  1. buruan di publish :P


  3. @iang:
    publish apanya?

    Bertobatlah hai manusia... :))

  4. good job, do that and the international rank of UI will be increased :D


Post a Comment

Popular Posts