Apache Http Ssl

Posted on  by admin

Online, it is crucial for your visitors to know that the connection is secure. To encrypt the connection to your website, SSL certificates are commonly used to establish a secure connection. Webmasters may buy SSL certificates to secure their website from web hosting companies who sell offerings from premium vendors such as GeoTrust, Verisign, and others.

Assuming you have apache and open ssl installed, you would like to generate and setup an SSL certificate for a domain and generate a CSR.

HttpClient provides full support for HTTP over Secure Sockets Layer (SSL) or IETF Transport Layer Security (TLS) protocols by leveraging the Java Secure Socket Extension (JSSE). JSSE has been integrated into the Java 2 platform as of version 1.4 and works with HttpClient out of the box. How to ignore SSL certificate (trust all) for Apache HttpClient 4.3? All the answers that I have found on SO treat previous versions, and the API changed. Related: How to ignore SSL certificate errors in Apache HttpClient 4.0; How to handle invalid SSL certificates with Apache HttpClient?

First, Generate the RSA & CSR (Signing Request)

[[email protected] root]#

[[email protected] root]# cd /etc/httpd/conf/ssl.key

Generate the RSA without a passphrase: Generating a RSA private key without a passphrase (I recommended this, otherwise when apache restarts, you have to enter a passphrase which can leave the server offline until someone inputs the passphrase)

[[email protected] /etc/httpd/conf/ssl.key]# openssl genrsa -out yourdomain.key 1024


Or, with a passphrase: Generating a RSA private key with a passphrase. You will be prompted to enter a passphrase right after you hit enter.

[[email protected]/etc/httpd/conf/ssl.key]# openssl genrsa -des3 -out yourdomain.key 1024

You should generally NOT generate the RSA private key with a passphrase if you have scripts that restart apache automatically in case of a crash or otherwise. If there is a passphrase, Apache will just sit there and wait for the script to input the passphrase which means downtime, and downtime usually equals bad.

Next generate the CSR using the RSA Private Key

[[email protected]/etc/httpd/conf/ssl.csr]# openssl req -new -key yourdomain.key -out yourdomain.csr

[[email protected]/etc/httpd/conf/ssl.csr]# mv yourdomain.csr ../ssl.csr

You will be asked to enter your Common Name, Organization, Organization Unit, City or Locality, State or Province and Country.

Do not enter these characters ‘< > ~ ! @ # $ % ^ * / ( ) ?.,&’ because they will not be accepted.

Common Name: the domain for the web server (e.g. MYdomain.com)

Organization: the name of your organization (e.g. YUPAPA)

Organization Unit: the section of the organization (e.g. Sales)

City or Locality: the city where your organzation is located (e.g. Flanders)

State or Province: the state / province where your organzation is located (e.g New Jersey)

Country: the country where your organzation is located (e.g US)

You may be asked for an email address and a challenge password. I usually just hit enter.

Now you should have:



Be sure to always make a backup copy of your private key! If you lose it, you’ll have to purchase a new cert!

Now you need to submit your CSR to your provider and they will mail you the certificate. They usually also send you a confirmation email before the certificate is sent out.
Now that you have the certificate..

Installing the Certificate for Apache

[[email protected] root]# cd /etc/httpd/conf/ssl.crt

Copy the certificate that they mailed you to yourdomain.crt

Open your httpd.conf file and place the following to your virtualhost

<VirtualHost 209.123.546.123:443>

– other config details-

SSLEngine on

SSLCertificateFile /etc/httpd/conf/ssl.crt/yourdomain.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/yourdomain.key


Restart apache

OPTION 1 [[email protected] /etc/httpd/conf/ssl.crt]# apachectl restart

OPTION 2 (using the sh script) [[email protected] /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

You may be asked to enter the passphrase IF you generated the RSA with a passphrase. If you do NOT want to be asked for a passphrase when restarting apache, re-generate your RSA key file.

Apache Httpd Ssl Configuration

[[email protected] /etc/httpd/conf/ssl.crt]# cd ../ssl.key

[[email protected] /etc/httpd/conf/ssl.key]# mv yourdomain.key yourdomain.key.has-passphrase

[[email protected] /etc/httpd/conf/ssl.key]# openssl rsa -in yourdomain.key.has-passphrase -out yourdomain.key

And then restart apache again

[[email protected] /etc/httpd/conf/ssl.crt]# /etc/rc.d/init.d/httpd restart

Now you should be able to access https://yourdomain.com

Apache Http Ssl Configuration

Customizing SSL in HttpClient

The default behaviour of HttpClient is suitable for most uses, however there are some aspects which you may want to configure. The most common requirements for customizing SSL are:

  • Ability to accept self-signed or untrusted SSL certificates. This is highlighted by an SSLException with the message Unrecognized SSL handshake (or similar) being thrown when a connection attempt is made.
  • You want to use a third party SSL library instead of Sun's default implementation.

Apache Httpd Ssl Certificate

Implementation of a custom protocol involves the following steps:

Apache Http Ssl Proxy

  1. Provide a custom socket factory that implements org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory interface. The socket factory is responsible for opening a socket to the target server using either the standard or a third party SSL library and performing any required initialization such as performing the connection handshake. Generally the initialization is performed automatically when the socket is created.

  2. Instantiate an object of type org.apache.commons.httpclient.protocol.Protocol. The new instance would be created with a valid URI protocol scheme (https in this case), the custom socket factory (discussed above) and a default port number (typically 443 for https). For example:

    The new instance of protocol can then be set as the protocol handler for a HostConfiguration. For example to configure the default host and protocol handler for a HttpClient instance use:

  3. Finally, you can register your custom protocol as the default handler for a specific protocol designator (eg: https) by calling the Protocol.registerProtocol method. You can specify your own protocol designator (such as 'myhttps') if you need to use your custom protocol as well as the default SSL protocol implementation.

    Once registered the protocol be used as a 'virtual' scheme inside target URIs.

    If you want this protocol to represent the default SSL protocol implementation, simply register it under 'https' designator, which will make the protocol object take place of the existing one