Table of Contents

Apache SSL Configuration

For more detailed information, please see the official Apache server documentation.

Enabling SSL Encryption

After obtaining a signed certificate (e.g. www.example.com.crt.pem), Apache can be configured to use this certificate to identify itself and allow for encrypted data transfer with the use of a key (e.g. www.example.com.key.pem). Suppose that these keys are stored in /etc/apache2/ssl/ along with our CA's certificate (or chained certificate if using an intermediate CA).

To enable SSL encryption (HTTPS) for a particular site in Apache, enable mod_ssl and add the following to the site's configuration (be sure to Listen 443):

<VirtualHost *:443>
    # ...

    SSLEngine on

    SSLCertificateFile /etc/apache2/ssl/www.example.com.crt.pem
    SSLCertificateKeyFile /etc/apache2/ssl/www.example.com.key.pem

    # replace with ca-chain.crt.pem if using an intermediate CA
    SSLCertificateChainFile /etc/apache2/ssl/ca.crt.pem
</VirtualHost>

Enabling Client-Side SSL Authentication

To force all users to present a client certificate for authentication (and otherwise deny access), add the following to your site configuration:

<VirtualHost *:443>
    # ...

    # replace with ca-chain.crt.pem if using an intermediate CA
    SSLCACertificateFile /etc/apache2/ssl/ca.crt.pem

    SSLVerifyClient require
    SSLVerifyDepth 2
</VirtualHost>

Specifying a Client CRL

The following configuration tells Apache to check a for revoked client certificates

<VirtualHost *:443>
    # ...

    SSLCACertificateFile /etc/pki/CA/crl/crl.pem
</VirtualHost>