User Tools

Site Tools


apache:enable_ssl_with_openssl

Apache Secure Server Configuration

Red Hat EL 5

Configure Apache Secure Server

Generate a key/value pair with genkey (and optional CSR)

Generate a private / public key pair and optionally a Certificate Signing Request (CSR).

  • make sure crypto-utils are installed on the server
  • change to the directory /etc/pki/tls/certs
  • execute genkey for the desired domainname
# genkey www.example.com
  • Follow the procedure and choose to create a CSR if required (or create a self signed certificate)
  • The private key will be generated under /etc/pki/tls/private
  • The public key (and CSR) will be generated under /etc/pki/tls/certs

Manually create a key / certificate pair

Create a private key manually with openssl

openssl genrsa 1024 > /etc/pki/tls/private/www.example.com.key

Create a certificate request

openssl req -new -key /etc/pki/tls/private/example.com.key -out /etc/pki/tls/certs/www.example.com.csr

Create a self signed certificate

openssl req -new -x509 -nodes -sha1 -days 730 -key /etc/pki/tls/private/www.example.com.key > /etc/pki/tls/certs/www.example.com.crt

Configure Apache to use the SSL key / certificate

The steps to configure the Apache HTTP Server to use the new key are:

  • Obtain the signed certificate from the CA after submitting the CSR.
  • Copy the certificate to the path, for example /etc/pki/tls/certs/www.example.com.crt
  • Edit /etc/httpd/conf.d/ssl.conf. Change the SSLCertificateFile and SSLCertificateKey lines to be.
SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

where the www.example.com part should match the argument passed on the genkey

Remove passphrase from key (less security)

Change to the directory where the private key is stored:

cd /etc/pki/tls/private/

It's a good idea to make a backup copy of the original key:

cp localhost.key localhost.key.org

Decrypt the key with openssl:

openssl rsa -in localhost.key -out new.key
Enter pass phrase for localhost.key:
writing RSA key

Replace the original key:

mv new.key localhost.key
overwrite `localhost.key'? y

You should be able to restart apache without entering the passphrase:

service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

SSL Virtual Host Example

<VirtualHost *:443>
  ServerName www.example.com:443
  ServerAlias example.com:443 
  DocumentRoot /mnt/nas/srv/www/example.com/htdocs
  CustomLog logs/example.com-ssl-access_log combined
  ErrorLog logs/example.com-ssl-error_log
 
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/example.com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
 
  SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
 
  CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
</VirtualHost>

Until Red Hat EL 4

Create a private key for apache

Remove the fake keys installed during system setup:

rm /etc/httpd/conf/ssl.key/server.key
rm /etc/httpd/conf/ssl.crt/server.crt

Generate a private key with passphrase (standard):

make genkey

The script will prompt you for the passphrase (don't forget!) and CA details. The private key is stored under /etc/httpd/conf/ssl.key/server.key

Generate a private key without passphrase (not so secure):

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

The script will prompt you for the details about the CA. The private key is stored under /etc/httpd/conf/ssl.key/server.key

Make sure only root can read the private key:

chmod go-rwx /etc/httpd/conf/ssl.key/server.key

Generate a CSR with an existing key

  • use the openssl req tool to create the certificate signing request
openssl req -new -key example.com.key -out example.com.csr

Create a self signed certificate

Change directory:

cd /usr/share/ssl/certs

Create the certificate:

Use the RedHat make command…

make testcert

.. or create the certificate manually (in this example it will be valid for 2 years):

openssl req -new -x509 -nodes -sha1 -days 730 -key server.key > server.cert

If your private key has been created with a passphrase you have to enter it.

Further you have give the following information about your company and your host:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US      
State or Province Name (full name) [Berkshire]:North Carolina
Locality Name (eg, city) [Newbury]:Raleigh
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Documentation
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com

Virtual Host Configuration

Make sure both private and public key are referenced in your httpd config, like in the following example:

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
 
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Restart Apache

Restart apache in order to enable the new certificate:

service httpd restart
/srv/wiki.niwos.com/data/pages/apache/enable_ssl_with_openssl.txt · Last modified: 2009/08/15 12:14 (external edit)