Basic Information

First off, you need a SSL-Certificate for HTTPS. This certificates are usualy checked by your browser against SSL providers such as VeriSign for validity. If the outcame is invalid, some website may have been replaced with a fake-version by a hacker. The result is, that your browser warns you that the certificate for the site is invalid and it probalby was hacked or stuff like this (there was also a bug on creating invalid certificates on Debian-Linux some time ago *G*).

Anyway, you can still add the certificate as exception and get SSL-connection to the website, so no one is seeing what you are actually doing on that site or what data is beeing transferred (e.g. your E-Mail Client).

Basic Setup

The easiest way to setup this stuff is as of following (assuming using Debian/Ubuntu and Apache2):

$ apt-get install openssl
$ mkdir -P /etc/apache2/ssl/
$ openssl req $@ -new -x509 -days 365 -nodes -out server.crt -keyout server.key

Then add something like this to your Apache2-Configuration:

NameVirtualHost 443

<VirtualHost *:443>

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
# SSLProtocol -all +TLSv1 +SSLv3
SSLProtocol all -SSLv2

[...]

</VirtualHost>

Basically, that’s it! Don’t forget to restart apache and also note that SSL2 is outdated and therefore unsecure. Be aware of that on using MSIE-Browsers from Microsoft! So i just disallowed it here in the example above. It also has opions set for using Basic HTTP-Auth on HTTPS and sets also some SSL-specific apache environmental veriables.

If Apache doesn’t start up look under /var/log/apache2/ for error messages!

Extended Setup

Some snippets if you already have a server key or want need to create your own, for having it signed and so on. If you set a password for a server key – which is indeed required for secuerity reasons – note, that Apache asks for it on startup.

Create a server key

openssl genrsa -des3 -out server.key 1024

You can convert the secure key to an unsecure („without password“):

$ openssl rsa -in server.key -out server.key.insecure

Create a basic  certificate for your key by using this:

$ openssl req -new -key server.key -out server.csr

Then sign it:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Same stuff with insecure key:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key.insecure -out server.crt