Apache HTTP Server Version 2.5
Apache HTTP Server Version 2.5
This is the how to guide for making your Apache httpd use encryption to transfer data between you and your visitors. Instead of http: links, your site will use https: ones and, if everything is setup correctly, people visiting your site will have their privacy better protected.
This How-To is intended for people that are not really into SSL/TLS and ciphers and all this crypto techno-babble (We are joking, it's a serious field with serious experts and real problems to solve - but it sounds like techno-babble to anyone not intimate with it). People who have heard that their http: server is not really secure enough nowadays. That spies and bad guys are listening. That even legitimate corporations are inserting data into their web pages and selling profiles of visitors.
This guide wants to help you migrate your httpd server from serving insecure http: links to encrypted https: ones, without you becoming a SSL expert first. You might get fascinated by all this crypto things and study it more and become a real expert. But you also might not, run a reasonably secure web server nevertheless and do other things good for mankind with your time.
You will get a rough idea what roles these mysterious things called "certificate" and "private key" play and how they are used to let your visitors be sure they are talking to your server. You will not be told how this works, just how it is used: it's basically about passports.
The TLS protocol (formerly known as SSL) is a way a client and a server can talk to each other without anyone else listening, or better understanding a thing. It is what your browser uses when you open a https: link.
In addition to having a private conversation with a server, your browser also needs to know that it really talks to the server - and not someone else acting like it. That, next to the encryption, is the other part of the TLS protocol.
In order to do that, your server does not only need the software for TLS, e.g. the mod_ssl module, but some sort of identity proof on the Internet. This is commonly referred to as a certificate. Basically, everyone has the same mod_ssl and can encrypt, but only your have your certificate and with that, you are you.
A certificate is the digital equivalent of a passport. It contains two things: a stamp of approval from the people issuing the passport and a reference to your digital fingerprints, e.g. what is called a private key in encryption terms.
When you configure your Apache httpd for https: links, you need to give it the certificate and the private key. If you never give the key to anyone else, only you will be able to prove to visitors that the certificate belongs to you. That way, a browser talking to your server a second time will be sure that it is indeed the very same server it talked to before.
But how does it know that it is the real server, the first time it starts talking to someone? Here, the digital rubber stamping comes into play. The rubber stamp is done by someone else, using her own private key. That person has also a certificate, e.g. her own passport. The browser can make sure that this passport is based on the same key that was used to rubber stamp your server passport. Now, instead of making sure that your passport is correct, it must make sure that the passport of the person that says your passport is correct, is correct.
And that passport is also rubber stamped digitally, by someone else with a key and a certificate. So the browser only needs to make sure that that one is correct that says it is correct to trust the one that says your server is correct. This trusting game can go to a few or many levels (usually less than 5).
In the end, the browser will encounter a passport that is stamped by its own key. It's a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your operating system) comes with list of Gloria passports to trust, pre-installed. If it sees a Gloria certificate, it is either in this list or not to be trusted.
This whole thing works as long as everyone keeps his private keys to himself. Anyone copying such a key can impersonate the key owner. And if the owner can rubber stamp passports, the impersonator can also do that. And all the passports stamped by an impersonator, all those certificates will look 100% valid, indistinguishable from the "real" ones.
So, this trust model works, but it has its limits. That is why browser makers are so keen on having the correct Gloria Gaynor lists and threaten to expel anyone from it that is careless with her keys.
Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In this list from Mozilla you find all companies that the Firefox browser trusts. Pick one, visit their website and they will tell you what it costs. And how you need to prove that you are who you claim to be so they can rubber stamp your passport with confidence.
They all have their own methods, also depending on what kind of passport you apply for, and it's probably some sort of click web interface in a browser. They may send you an email that you need to answer or do something else. In the end, they will show you how to generate your own, unique private key and issue you a stamped passport matching it.
You then place the key in one file, the certificate in another. Put these on your server, make sure that only a trusted user can read the key file and add it to your httpd configuration. This is extensively covered in the SSL How-To.
There are also companies that offer certificates for web servers free of charge. The pioneer in this is Let's Encrypt which is a service of the Internet Security Research Group (ISRG), a not-for-profit organization to "reduce financial, technological, and education barriers to secure communication over the Internet."
They not only offer free certificates, they also developed an interface that can be used by your Apache httpd to get one. This is where mod_md comes in.
(zoom out the camera on how to configure mod_md and virtual host...)
