Configuring Apache for SSL

Apache is one of the most deployed web server on the internet. In this tutorial we will first set up Apache for a self-signed certificate and then a certificate signed by a trusted Certificate Authority (CA). The steps involved in employing SSL includes generating the keys, creating a certificate signing request (CSR), signing that CSR by CA resulting in signed certificate (public key) and configuring Apache to use the key and the certificate.

SSL relies on public and private keys. Private key needs to be secured and stored on the Apache server only while public key is distributed freely to anyone. That’s why it is called public key. These keys are used for encrypting and decrypting any data passing between client and server communicating through SSL (normally seen with https in the address bar of a browser). This kind of security is called asymmetric cryptography or Public Key infrastructure (PKI) because of the two different halves (public and private keys) that make the communication possible. Apache uses openssl to encrypt/decrypt communication with a client. Apache interfaces with openssl through mod_ssl module.

1. Install Apache (if not already installed) and mod_ssl

yum install httpd mod_ssl

2. Create private key

First we need private key. We will put our key and certificate in /etc/httpd/conf/ssl, so run the following commands

mkdir /etc/httpd/conf/ssl
cd /etc/httpd/conf/ssl

The below command will create RSA key of 1024 bit and will be saved in a file linuxgravity.com.key in the current directory.

openssl genrsa -out linuxgravity.com.key 1024

Generating RSA private key, 1024 bit long modulus
.......................................++++++
........++++++
e is 65537 (0x10001)

3. Create CSR from the private key

Now we will create a CSR from the key we just created in step 2. This CSR has to be signed by CA which can either be one set up locally on the server or a third party like Verisign or Thawte. Local CA will not be trusted by clients as it will not be known to them but third part CA will be trusted by all clients browsers.

During CSR generation, couple of questions are asked which are X.25 attributes. Pay special attention to Common Name which MUST be the fully qualified domain name of the web server eg localhost.

openssl req -new -key linuxgravity.com.key -out linuxgravity.com.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CA
State or Province Name (full name) [Berkshire]:Quebec
Locality Name (eg, city) [Newbury]:Montreal
Organization Name (eg, company) [My Company Ltd]:Linuxgravity Inc.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:admin@linuxgravity.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Self-sign the CSR

Now we need to sign the CSR we created in step 3 above by local CA resulting in a certificate or public key. This certificate will be presented to browsers when they request SSL connection. Since they do not have information about our local CA, they will generate an error that the certificate is untrusted. If we accept the untrusted certificate, data moving between client and server will be encrypted. We will generate a certificate that will be good for 365 days, will be signed with our previously created private key and will be saved as linuxgravity.com.crt

openssl x509 -req -days 365 -in linuxgravity.com.csr -signkey linuxgravity.com.key -out linuxgravity.com.crt

Signature ok
subject=/C=CA/ST=Quebec/L=Montreal/O=Linuxgravity Inc./OU=IT/CN=localhost/emailAddress=admin@linuxgravity.com
Getting Private key

At this time if you do ls -l /etc/httpd/conf/ssl/, you will see three files:

ls -l /etc/httpd/conf/ssl/
total 12
-rw-r--r-- 1 root root 1005 Aug 18 17:29 linuxgravity.com.crt
-rw-r--r-- 1 root root  729 Aug 17 22:49 linuxgravity.com.csr
-rw-r--r-- 1 root root  887 Aug 17 22:44 linuxgravity.com.key

If you are confused about which file is which, the final extensions may help you recognize them.

5. Change the location of private key and self-signed certificate in /etc/httpd/conf.d/ssl.conf

Add the following to the end of httpd.conf file or inside directives in virtual host configuration file:

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl/linuxgravity.com.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/linuxgravity.com.key
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

The above lines enables SSL, tell Apache the location of private key and certificate files and the last line fixes known issues with Internet Explorer.

6. Restart Apache

service httpd restart

7. Test HTTPS

See if Apache is listening on port 443

netstat -tpan | grep 443

Openssl can also be used to test SSL

openssl s_client -connect localhost:443 -state -debug

Finally use a browser such as Firefox to check for SSL connection. In the address bar, type https://localhost

Since we are using a certificate signed by local CA, we will see the following warning:

Click Add Exception, takes us to

Now if we click Get Certificate, we see more information about the certificate

The actual certificate can be seen by clicking View, revealing the data we put in while creating the CSR

8. Obtaining and installing certificate signed by trusted third party

If you want to get a trusted certificate from a third party, you would omit step 4 and submit the resulting CSR to trusted certificate signing
authority such Verisign, Thawte, Godaddy etc and they would give a zip file containing the .crt file (and usually an intermediate CA file). Unzip them somewhere and then copy to /etc/httpd/conf/ssl/. I assume, we got a file named bundle.zip,

unzip  bundle.zip
cd  bundle
cp *  /etc/httpd/conf/ssl/
cd /etc/httpd/conf/ssl/ 

Rename certificate file as linuxgravity.com.crt and intermediate CA file as linuxgravity.com-chain.crt

Perform step 5 and also replace

SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

with

SSLCertificateChainFile /etc/httpd/conf/ssl/linuxgravity.com-chain.crt

Perform step 6 and 7.

Note: The location and names of keys and certificates files is unimportant as long as the path in ssl.conf is correct and private key is secured.