Enable SSL with Apache in FreeBSD

Generate a server key. This would remain same for all domains/ips on this server

# openssl genrsa -des3 -out server.key 1024

Now make sure it does not ask for any password while loading the certificate

# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key

Now create a certificate signing request (CSR) for your domain. Once you execute the command listed below, you will be asked few questions. The most important is “Common Name”, which should be the fully qualified domain name that requires SSL cert

# openssl req -new -key server.key -out domain_name.csr

Once you have the CSR, there are two ways you can get the certificate: (a) generate the certificate yourself, but you and more importantly your users will get a warning every time they access the domain/web page or (b) use the CSR to submit this request to one the browser recognized SSL cert providers. They generally charge for such services. To complete the process here, we would generate the certificate ourselves.

# openssl x509 -req -days 365 -in /root/domain_name.csr -signkey /root/server.key -out /root/domain_name.crt

Now, we need to move the certificate file and the server key from where Apache can read it. make sure you set the correct permissions on both the files

# mkdir /usr/local/etc/apache22/ssl
# chmod 0700 /usr/local/etc/apache22/ssl

# cp ~/server.key /usr/local/etc/apache22/ssl/
# cp ~/domain_name.crt /usr/local/etc/apache22/ssl/
# chmod 0400 /usr/local/etc/apache22/ssl/server.key
# chmod 0400 /usr/local/etc/apache22/ssl/domain_name.crt

If you are running with virtual hosts enabled, make sure the domain entry in the virtual host section is ip based.

<VirtualHost xxx.xxx.xxx.xxx:80>
ServerAdmin webmaster@domain_name.com
DocumentRoot /usr/local/www/apache22/data/domain_name.com/htdocs
ServerName domain_name.com
ErrorLog /usr/local/www/apache22/data/domain_name.com/logs/error_log
CustomLog /usr/local/www/apache22/data/domain_name.com/logs/access_log common
</VirtualHost>

The SSL section will require a the path to the certificate and server key.

<VirtualHost xxx.xxx.xxx.xxx:443>
ServerName domain_name.com
ServerAdmin webmaster@domain_name.com
DocumentRoot /usr/local/www/apache22/data/domain_name.com/htdocs
SSLEngine on
SSLCertificateFile /usr/local/etc/apache22/ssl/domain_name.crt
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/server.key
</VirtualHost>

For FreeBSD, default Apache virtual host file is located at /usr/local/etc/apache22/extra/http-vhosts.conf and SSL configuration file is located at /usr/local/etc/apache22/extra/httpd-ssl.conf. You need to enable both of them in your main httpd.conf file (/usr/local/etc/apache22/httpd.conf).

Also make sure that accf_data_load=”YES” is present in your /boot/loader.conf, otherwise you will receive a warning every time your start Apache.

This guide has been written for FreeBSD 8.0 and Apache 2.2.14 . For other distributions and versions, the file location might have to be adjusted to make it work.