Securing Apache HTTP Server (PHP and Java)

When it comes to the Apache HTTP Server, terminology can be a bit confusing. Originally, Apache and the web server were one in the same. However, as Apache expanded in size and scope, several additional projects came under their umbrella. (Example: Tomcat is actually Apache Tomcat.) In this section, all references to Apache should be interpreted as the Apache HTTP Server.

This section is primarily about configuring Apache to support PHP. However, as many J2EE developers will point out, Tomcat can be integrated with Apache, so both PHP and Java code can take advantage of configuring Apache for HTTPS. The details of that integration, however, are out of scope for this article.

Key and Certificate Conversion
The first step here is to generate a key and a certificate using OpenSSL. However, you may be wondering: "Didn't you just create a key and certificate as part of the Tomcat configuration?" The answer is yes. Unfortunately the keys are in a slightly different format. The good news is that some of the folks on the web documented how to convert a keytool cert / key into an OpenSSL cert / key. For me, I followed the steps outlined in Bruno's answer here:

Here are my results of the conversion:

Note: If you don't plan on supporting both Tomcat and Apache, then you can simply generate an OpenSSL cert and key from scratch. (There are several articles on the web which describe how to do this.)

Apache Configuration
Now that I've got a valid certificate and key, it's time to update the Apache configuration files. Since I run OSX, I followed the instructions here:

For others who are using a variant of Unix, the following article may be more appropriate:

You can also take the best from each article. (That's what I did.) However, since they're so wonderfully thorough, there's no need to rewrite the content here.

Once this is saved, launch tomcat, and attempt to connect on port 443. (This is the default HTTPS port, so there's no need to specify it in the URL.)

At first, you should see the same warning as you saw with tomcat:

After verifying that I'm at my own site, I'll click 'Proceed anyway'. Upon doing so, I'll see this:

This shows that I successfully retrieved encrypted results - even if the connection isn't a trusted connection.

This completes the configuration of HTTPS under Apache.