How do I add a virtual host with self-signed SSL to my Apache 2 web server, Mac OS X 10.5 (client) computer?

Instructions on how to host multiple self-signed SSL virtual hosts on a single certificate.

Why

Here’s why you might do this:

  • You want to test (your SSL) encryption of the data stream between your Web server and browser (HTTPS).
  • You’re using a self-signed certificate because you either don’t plan on having your certificate signed by a Certificate Authority (CA), or you wish to test your new SSL implementation while the CA is signing your certificate. (This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.)

How

  1. Create a certificate for our own personal signing authority.
  2. Create a certificate request for a domain.
  3. Sign the certificate signing request and generate a signed certificate.
  4. Make a copy of the signed certificate that doesn’t need a password when apache starts.
  5. Turn on SSL.
  6. Add a new SSL virtual host.
  7. Create a virtual hosts map file.
  8. Edit your SSL virtual host.

Steps

Open the Terminal application and create an ssl directory in /etc/apache2:

  1. Generate your own CA. Make sure to remember the passphrase you’re prompted for. This is what you use to sign certificates.
  2. Generate a server key and request for signing (csr). When prompted for the Common Name (CN), enter the domain name you want the certificate for. For example xxx.lmc.xxx (if you want to use the URL http://xxx.lmc.xxx/). You can just hit return on your keyboard (to leave the entries blank) when prompted for Organizational Unit Name, Challenge Password and Optional Company Name.
  3. Sign the certificate signing request with the self-created certificate authority that you made earlier:
  4. Make a key which doesn’t cause apache to prompt for a password.
  5. The /private/etc/apache2/ssl directory should look like this:

  6. Turn on SSL –

    Open /private/etc/apache2/httpd.conf and uncomment the line for SSL:
  7. Open /private/etc/apache2/extra/httpd-ssl.conf and comment out the entire <VirtualHost>…</VirtualHost> section. Then, open /private/etc/apache2/extra/httpd-vhosts.conf and add the new xxx.lmc.xxx SSL virtualhost to the bottom:
  8. To check for configuration errors and if none are found, restart the Web server, type (in Terminal):

    Check that your Web server (and Lasso, if you’re using Lasso) are working correctly. Open a Web browser and go to http://127.0.0.1/ and one of your virtual hosts, ex. http://xxx.test.xxx and, if you’re using Lasso, one of your Lasso Web sites.

    At this point you have a single self-signed SSL virtual host. Whatever HTTPS URL you use, https://xxx.lmc.xxx/, https://xxx.test.xxx/, etc., will point to your /Library/Webserver/Documents/lmc directory.

    Continue on to create multiple self-signed SSL virtual hosts so that https://xxx.lmc.xxx/ will point to your /Library/Webserver/Documents/lmc directory and https://xxx.test.xxx/ will point to your /Library/Webserver/Documents/test directory.

  9. Use BBEdit to create a new file called ssl.map on your Desktop. Put in this file a list of your virtual hosts with their DocumentRoot:
  10. Use Terminal to move this file to /private/etc/apache2/ssl.map:

  11. Open /private/etc/apache2/extra/httpd-vhosts.conf and include the following code inside, at the bottom, of <VirtualHost 127.0.0.1:443>:
  12. To check for configuration errors and if none are found, restart the Web server, type (in Terminal):

    Check that your Web server (and Lasso, if you’re using Lasso) are working correctly. Open a Web browser and go to http://127.0.0.1/ and one of your virtual hosts, ex. http://xxx.test.xxx and, if you’re using Lasso, one of your Lasso Web sites.

    And check each of your virtual hosts (and Lasso sites) with HTTPS, ex: https://xxx.lmc.xxx/.

What to watch out for

Don’t skip checking for configuration errors! If any errors are reported when you do sudo apachectl configtest your Web server probably won’t run.

Because you are using a self-signed SSL certificate (created solely for the xxx.lmc.xxx virtual host) your Web browser will display a message telling you:

“<yourURL> uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

The certificate is only valid for xxx.lmc.xxx.”

You will need to click on the button to “Add Exception”.

A certificate authority tells your customers that this server information has been verified by a trusted source. The problem with using a self-signed certificate is that it will be flagged as potentially risky and error messages will pop up encouraging your customers not to trust the site.