Set up Apache with TLS/SSL Support

By | March 16, 2016

If you haven’t set up Apache you should look at our article on how to install Apache for web services.

Guide to Set up Apache with TLS/SSL Support

# cp /var/log/boot.log /usr/share/ssl/random1
# cp /var/log/cron /usr/share/ssl/random2
# cp /var/log/dmesg /usr/share/ssl/random3
# cp /var/log/messages /usr/share/ssl/random4
# cp /var/log/secure /usr/share/ssl/random5
# cd /usr/share/ssl
# openssl genrsa -rand random1:random2:random3:random4:random5 -out
www.key 1024

Produce a Certificate Signing Request (CSR)

# openssl req -new -key www.key -out www.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) [Some-Locality]:Penticton
Organization Name (eg, company) [Some-Organization Ltd]:Domain Inc.
Organizational Unit Name (eg, section) [Some-Organizational]:Web Hosting
Common Name (eg, YOUR name) [www.domain.com]:www.domain.com
Email Address [admin@domain.com]:root@localhost
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name [

Normally we would send this CSR to a Commercial Certifying Authority, such as Verisign or GeoTrust, however, If you already have an fully signed certificate on the existing server you can use that as well.

In this example i will use an existing certificate.


 

# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
……………………….++++++
…………………………………….++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:<testing>
Verifying – Enter pass phrase for ca.key:<testing>
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generating RSA private key, 1024 bit long modulus
……………………….++++++
…………………………………….++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying – Enter pass phrase for ca.key:
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.


What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) [Some-Locality]:SomeCity
Organization Name (eg, company) [Some-Organization Ltd]:Domain Inc
Organizational Unit Name (eg, section) [Some-Organizational]:Cert Division
Common Name (eg, YOUR name) [www.domain.com]:www.domain.com
Email Address [admin@domain.com]:root@domain.com
# mv www.key private/
# mv ca.key private/
# mv ca.crt certs/
# /usr/share/ssl/misc/sign www.csr
CA signing: www.csr -> www.crt:
Using configuration from ca.config
Enter pass phrase for /usr/share/ssl/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CA’
stateOrProvinceName :PRINTABLE:’BC’
localityName :PRINTABLE:’SomeCity’
organizationName :PRINTABLE:’Domain Inc’
organizationalUnitName:PRINTABLE:’Web Hosting’
commonName :PRINTABLE:’www.domain.com’
emailAddress :IA5STRING:’root@localhost’
Certificate is to be certified until Jan 7 16:53:26 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: www.crt <-> CA cert
www.crt: OK


# rm -f www.csr
# chmod 750 /usr/share/ssl/private/
# chmod 400 /usr/share/ssl/certs/ca.crt
# chmod 400 /usr/share/ssl/certs/www.crt
# chmod 400 /usr/share/ssl/private/ca.key
# chmod 400 /usr/share/ssl/private/www.key


# vi /etc/sysconfig/httpd

remove the # from the line that reads:
OPTIONS=”-DSSL”


# vi /etc/httpd/conf/httpd.conf

Uncomment the line:
# LoadModule ssl_module modules/mod_ssl.so


# vi +110 /etc/httpd/conf/ssl.conf

Change
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
to
SSLCertificateFile /usr/share/ssl/certs/www.crt
Several lines down change
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
to
SSLCertificateKeyFile /usr/share/ssl/private/www.key


# vi +92 /etc/httpd/conf/ssl.conf

Change log directories to correct locations:
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log


# vi +243 /etc/httpd/conf/ssl.conf

Change line to read:
CustomLog /var/log/httpd/ssl_request_log \


# vi +62 /etc/httpd/conf/ssl.conf

Change line to read:
SSLMutex
Restart Apache 

# /etc/init.d/httpd restart


If you receive any errors check in /var/log/httpd/error_log

Leave a Reply

Your email address will not be published. Required fields are marked *