Installing Apache2 with SSL (httpd) on Solaris 10

Most of the below are copied from Mel Lester Jr. ( with some minor modifications to his tips:

Apache 2.xx is included with Solaris 10. A few configuration details need to be addressed prior to starting Apache 2.xx:
1. Login as root
wired# _

2. Copy the file, /etc/apache2/httpd.conf-example to /etc/apache2/httpd.conf
wired# cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf

3. Edit /etc/apache2/httpd.conf
? Set ServerName if necessary (default is
? Set ServerAdmin to a valid email address
4. From the command line type:
wired# svcadm enable apache2

That is all it takes to to start the basic Apache 2 web server bundled with Solaris 10. In fact, the Apache 2 web service should persist through server and/or zone boots. The actual web pages are located in the /var/apache2/htdocs directory by default.

SSL Certificate Configuration for Apache2 on Solaris 10
By: Mel Lester Jr. (
Version 1.04 June 21, 2006)

1. Enable SSL Service Property if necessary. Log in as root and issue the following command:
web# svcprop -p httpd/ssl svc:network/http:apache2

If the response is “false”, issue these three commands:
web# svccfg -s http:apache2 setprop httpd/ssl=true
web# svcadm refresh http:apache2
web# svcprop -p httpd/ssl svc:network/http:apache2

If the response is “true”, continue to the next step.
2. Create a Certificate Directory and a Key Directory.
web# mkdir /etc/apache2/ssl.crt
web# mkdir /etc/apache2/ssl.key

3. Generate a RSA Key.
web# /usr/local/ssl/bin/openssl genrsa -des3 1024 > /etc/apache2/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying – Enter pass phrase: ********

4. Generate a Certificate Request.
web# /usr/local/ssl/bin/openssl req -new -key /etc/apache2/ssl.key/server.key > \
> /etc/apache2/ssl.crt/server.csr
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]::US
State or Province Name (full name) [Some-State]:OR
Locality Name (eg, city) []:Blodgett
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Big Cheese
Email Address []
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ********
An optional company name []: Live Free or Die

5. Install a Self-Signed Certificate. If you are going to install a certificate from an authoritative source, follow their instructions and skip this step.
web# /usr/local/ssl/bin/openssl req -x509 -days 3650 -key \
> /etc/apache2/ssl.key/server.key \
> -in /etc/apache2/ssl.crt/server.csr > \
> /etc/apache2/ssl.crt/server.crt
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********

6. Modify the ssl.conf file to use your certificate.
web# cd /etc/apache2
web# ls -l
total 334
-rw-r–r– 1 root bin 1987 Jan 6 21:10 highperformance-std.conf
-rw-r–r– 1 root bin 1987 Jan 6 21:10 highperformance.conf
-rw-r–r– 1 root bin 37519 Jan 6 21:10 httpd-std.conf
-rw-r–r– 1 root root 37660 Jan 18 21:49 httpd.conf
-rw-r–r– 1 root bin 37661 Jul 20 2005 httpd.conf-example
-rw-r–r– 1 root bin 12959 Jan 6 21:10 magic
-rw-r–r– 1 root bin 15020 Jan 6 21:10 mime.types
-rw-r–r– 1 root bin 10759 Jan 6 21:10 ssl-std.conf
-rw-r–r– 1 root bin 10996 Jan 6 21:10 ssl.conf
drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key

Edit the ssl.conf and change the line that begins with “ServerAdmin” to reflect an email address or alias for the Server’s Administrator.
7. Test the SSL Certificate with Apache2
? If Apache2 is enabled, disable it during testing.
web# svcs | grep -i apache2
online 3:29:01 svc:/network/http:apache2
web# svcadm disable apache2

? Use the legacy script to manually test start Apache2 with SSL.
web# /usr/apache2/bin/apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server (RSA)
Enter pass phrase: ********
Ok: Pass Phrase Dialog successful.

If this test fails with an error similar to ‘vhost.c:232 assertion “rv == APR_SUCCESS” failed on startssl’, your server may not be configured to use DNS to resolve host names. This failure is due to a known bug in Apache2 2.0.nn. A quick fix is be to edit the hosts line in your server’s /etc/nsswitch.conf to look like the following:
hosts: files dns

More information about this issue may be found at:

After editing /etc/nsswitch.conf or otherwise resolving the issue, repeat the test until you are able to manually start and stop Apache2 using your SSL Certificate and Pass Phrase.
web# ps -ef | grep httpd
root 1392 575 0 03:45:16 ? 0:01 /usr/apache2/bin/httpd -k start -DSSL
root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
webservd 1393 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1397 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1396 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1395 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL
webservd 1394 1392 0 03:45:18 ? 0:00 /usr/apache2/bin/httpd -k start -DSSL

? If your results are similar to the one above, use the legacy script to conclude the test. You may also want to verify that a client browser can access your site using https before continuing. Accept the self-signed Certificate if necessary.
web# /usr/apache2/bin/apachectl stop

8. Enable Apache2 with SSL to be started automatically as a service.
web# cd /etc/apache2/ssl.key
web# cp server.key
web# /usr/local/ssl/bin/openssl rsa -in -out server.key
Enter pass phrase for ********
writing RSA key
web# chmod 400 server.key
web# svcadm enable apache2
web# svcs | grep -i apache2
online 4:29:01 svc:/network/http:apache2