How to set up SSL with Apache 2 on SuSE 9.1


On SuSE 9.1, when you install your software, in YAST2, search for apache. Install all the apache2 items and none of the plain apache ones. If you are not running SuSE, the directory locations may change. Be sure to run the online update in Yast2 because there have been many fixes to both Apache and OpenSSH. If you use php, I have seen Web pages that advise upgrading to the latest versions.

In Yast2 you can configure the non-SSL server in Network Services/HTTP server. Do not turn on SSL in the default host or else the non-ssl host (on port 80) will try to look for certificates. Also, if you have the SuSE firewall turned on, be sure to allow port 443 (or the port you choose for SSL) through the firewall.

Starting Apache 2 automatically

As root,
cd /etc/init.d
 and do
insserv apache2

This will insert apache 2 in the correct startup and shutdown scripts.

Overall guidance

There is a good quick start document in

But it is not quite enough to do the job.

Getting a certificate

If you installed all the apache2 modules, the manual should be available on your machine. Go to
and either get a "real" certificate or create your own following the instructions there.

Eric Busse gave the following hints about generating your own certificate:

As opposed to manually creating a cert you can do the following

/usr/bin/gensslcert2 (claims SuSE) however in my experience it�€™s actually: /usr/bin/gensslcert

Shamelessly lifted from:

If you are not going to be at the console whenever your computer reboots, follow the instructions for using an unencrypted (but protected) server key. Be sure it is protected with access permissions 400.

If you run gensslcert, you should look at the man page and run it with all of the arguments.

These options are recognized: Default:

-C Common name "$name"
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage

For example:

 /usr/bin/gensslcert -c US -s TN -l "Oak Ridge"    -o Your_organization -e -d -n

In particular the CN field is critical because it must be identical to the


in the virtual host file (discussed later).

gensslcert will put the certificates in the correct directories. If you get a "real" certificate, install the server key in

and the server certificate in


As root, you will need to edit several files.

Add ssl to
APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif status suexec userdir ssl"

Add the server flag SSL to turn on the SSL module configuration file (/etc/apache2/ssl.conf)

Increase the startup timeout to allow a password entry if necessary

In /etc/apache2/vhosts.d,

cp vhost-ssl.template vhost-ssl.conf

You can also copy the vhost.template file to vhost.conf if you want a non-ssl server.

Then edit vhost-ssl.conf.


You must configure the virtual directory for the server. You can put all the access control directives and the document root here.

## SSL Virtual Host Context
<VirtualHost _default_:443>
#  General setup for the virtual host
DocumentRoot "/srv/www/secdocs"
# The ServerName must be identical to the -n field in your certificate

ServerAdmin your@email.address
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

#Access controls for a directory called noCTRP
<directory /srv/www/secdocs/noCTRP>
AuthType Basic
AuthName "Password Required"
# The file for the passwords for this directory
AuthUserFile /srv/www/passwords/password.noCTRP
require user security
Options Indexes FollowSymLinks

There seems to be another problem that several other frustrated people have run across. In spite of putting the


in /etc/sysconfig/apache2 file, the system seems to ignore the directive. You can see if this is the case on your system.

As root run


JARDELL:/etc/apache2 # httpd2 -D SSL -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 (/etc/apache2/vhosts.d/vhost-ssl.conf:27)
*:80 (/etc/apache2/vhosts.d/vhost.conf:1)
Syntax OK

If you do not see the vhost-ssl.conf file, something is rotten in Denmark.

To aid in determining what is happening, you can also raise the error logging level in /etc/sysconfig/apache2:


This will let you see what the ServerName in the certificate is. If this name is not identicat to the one in the vhost-ssl.conf file, apache2 will not start in SSL mode!

Starting your server

As root run
rcapache2 start
This command can also be used to restart or stop your server.
Your server should be listening to port 443 on your host.

Be sure to place an index.html file in the main document directory, in my case /srv/www/secdocs.

If you have comments or suggestions, e-mail me at
Visitors since 19 June 2003: