setting up ssl on apache webserver

apache

Setting up ssl on a linux server

 

Required tools

  • openssl
  • a user with sudo privileges
  • apache webserver

 

 

Create the SSL Certificate

 

To create the self-signed certificate, enter the following command

 

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.crt

 

 

  • openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
  • req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
  • -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
  • -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
  • -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
  • -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
  • -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
  • -out: This tells OpenSSL where to place the certificate that we are creating.

 

ssl

Running the command would prompt a series of questions about the server thae certificate would be installed on.

 

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Texas
Locality Name (eg, city) []: Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Johnny, Inc
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: <server_IP_address>
Email Address []: someemail@johnny.com

 

 

 

Configure Apache to use SSL

The certificate and  key have been created in /etc/ssl directory. The next step is to configure apache to use the files created for ssl.

 

Create or modify the ssl.conf in /etc/httpd/conf.d directory with the following configurations.

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin someemail@johnny.com
                ServerName server_domain_or_IP
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/apache.crt
                SSLCertificateKeyFile /etc/ssl/private/apache.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

 

 

Restart apache and test your changes.

 

Create your Certificate Signing Request

 

To generate the certificate signing request(CSR), enter the following command.

 

openssl req -new -key /etc/ssl/private/apache.key  -out /etc/ssl/private/apache.csr  

 

The csr file can be submitted to a Certificate Authority like VeriSign.

 

Add the CSR file to the ssl configuration

 

<VirtualHost _default_:443>
        . . .

        SSLCertificateChainFile /etc/ssl/private/apache.csr

        . . .
</VirtualHost>

 

 

 

The should help configuration Apache with SSL.