Setting up ssl on a linux server
Required tools
- openssl
- a user with sudo privileges
- apache webserver
Create the SSL Certificate
To create the self-signed certificate, enter the following command
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache.key -out /etc/ssl/certs/apache.crt
- openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.
- req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.
- -x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.
- -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.
- -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.
- -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
- -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.
- -out: This tells OpenSSL where to place the certificate that we are creating.
Running the command would prompt a series of questions about the server thae certificate would be installed on.
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Texas
Locality Name (eg, city) []: Austin
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Johnny, Inc
Organizational Unit Name (eg, section) []: Information Technology
Common Name (e.g. server FQDN or YOUR name) []: <server_IP_address>
Email Address []: someemail@johnny.com
Configure Apache to use SSL
The certificate and key have been created in /etc/ssl directory. The next step is to configure apache to use the files created for ssl.
Create or modify the ssl.conf in /etc/httpd/conf.d directory with the following configurations.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin someemail@johnny.com
ServerName server_domain_or_IP
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache.crt
SSLCertificateKeyFile /etc/ssl/private/apache.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Restart apache and test your changes.
Create your Certificate Signing Request
To generate the certificate signing request(CSR), enter the following command.
openssl req -new -key /etc/ssl/private/apache.key -out /etc/ssl/private/apache.csr
The csr file can be submitted to a Certificate Authority like VeriSign.
Add the CSR file to the ssl configuration
<VirtualHost _default_:443>
. . .
SSLCertificateChainFile /etc/ssl/private/apache.csr
. . .
</VirtualHost>
The should help configuration Apache with SSL.