Tuesday, June 30, 2015

Apache – SSL Configuration

SSL is a protocol for cryptographically securing transactions between a web browser and a web server. In most cases, only the server end is authenticated, which means that the client has a guarantee that the server is who it claims to be. However, once the connection is established, both ends are secure, as only the client and the server have access to the key material. This makes sense since for many transactions, the server doesn't care who the client is, as long as it stays the same client throughout the transaction. In this article we will see how we can configure Apache with SSL Configuration

1) Create the Server Key, CSR, and Certificate

[root@localhost work]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:AP
Locality Name (eg, city) [Default City]:HYD
Organization Name (eg, company) [Default Company Ltd]:NOVA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:Common Name
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:jagadesh1982
An optional company name []:MOVA

Now we can see ca.csr, ca.key, domain.key created.

2) Create a Certificate

[root@localhost work]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=IN/ST=AP/L=HYD/O=NOVA/OU=IT/CN=Common Name/
Getting Private key

Now we can ca.crt being created.

3) copy the files
[root@localhost work]# cp ca.crt /etc/pki/tls/certs/
[root@localhost work]# cp ca.key /etc/pki/tls/private/ca.key
[root@localhost work]# cp ca.key /etc/pki/tls/private/ca.csr

4) Now make the changes to the Apache configuration file httpd.conf as

Listen 2443

LoadModule ssl_module modules/
<VirtualHost *:2443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
    DocumentRoot /var/www/virtual/
    ServerName myproject.local
    ErrorLog logs/
    CustomLog logs/ common

    <Directory "/var/www/virtual/">
        Options None
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
        Allow from all


The most important line below which tells Apache about the Key and certificate files.
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key

The other important lines are
LoadModule ssl_module modules/

Make sure we load the module before doing any thing. Now restart the Apache server and access https://myproject.local:2443/ Which will show for a Confirm Certificate on the Browser. Accept certificate to connect to the server.

Hope this helps, More to come

No comments :

Post a Comment