[Ref: OpenBSD FAQ | mod_ssl/ssl_faq.html | /var/www/conf/httpd.conf]
SSL Communications assume the server has an authentication certificate which acts as a verification for whom the server publishes itself to be, and provides an envelope for the server’s public key with which clients can encrypt communications bound for the server.
Refer our the guide on generating SSL Certificates in OpenBSD.
Generate/copy the key/certificate pair to your host directories (shown below) into the correct
When first getting into SSL Certificates, use the filenames in the standard configuration files, this will minimise the number of configuration changes you need to make and you can ‘customise’ once you have a better understanding.
$ grep SSLCertificate /var/www/conf/httpd.conf
File extract: /var/www/conf/httpd.conf
SSLCertificateFile /etc/ssl/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key
Copy your generated certificates into the above locations and restart Apache with SSL support to verify that our configuration changes/certificates are correct.
$ sudo apachectl stop && sudo apachectl startssl
Server CRTs for Virtual sites can be generated using the same above process, except you choose a different name for the CSR and CRT. One nice convention is to use the domain name of the site, for example:
Within the Virtual Host configuration you will then need to specify the appropriate SSL Directive.
NameVirtualHost 192.168.101.49:* <VirtualHost 192.168.101.49:*> ServerAdmin firstname.lastname@example.org DocumentRoot /var/www/twig ServerName virtualsite.com ErrorLog logs/virtualsite.com-error_log CustomLog logs/virtualsite.com-access_log common SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/ssl/virtualsite.com.crt SSLCertificateKeyFile /etc/ssl/private/server.key </VirtualHost>
Our guide on generating SSL Certificates in OpenBSD has some validation testing, and external resources can also be used for testing SSL Certificates for websites:
[https://www.ssllabs.com/ssltest/index.html](Qualys SSL Labs) has a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet