Securing the Apache server is one of the most important tasks of the webmaster. In this example, we will show you how to use ssl keys with your Apache web server.
Create Certificates
Change to the following directory:
# cd /etc/pki/tls/cert
Run the following command to make server key file:
[root@unixmen-Centos64 certs]# make server.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ..................+++ ..........................................+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:
Remove passphrase from private key:
[root@unixmen-Centos64 certs]# openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key
Generate CSR key file
[root@unixmen-Centos64 certs]# make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:NL State or Province Name (full name) []:Amsterdam Locality Name (eg, city) [Default City]:Amsterdam Organization Name (eg, company) [Default Company Ltd]:Unixmen Organizational Unit Name (eg, section) []:Unixmen Common Name (eg, your name or your server's hostname) []:Centos6-Unixmen Email Address []:webmaster@unixmen.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@unixmen-Centos64 certs]#
Sign the key and make Expiration days:
[root@unixmen-Centos64 certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 10000 Signature ok subject=/C=NL/ST=Amsterdam/L=Amsterdam/O=Unixmen/OU=Unixmen/CN=Centos6-Unixmen/emailAddress=webmaster@unixmen.com Getting Private key [root@unixmen-Centos64 certs]#
Configure SSL keys with Apache
# yum -y install httpd mod_ssl
Configure ‘/etc/httpd/conf.d/ssl.conf’
Your ssl.conf should be like this:
[root@unixmen-Centos64 conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep -v "#"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName 127.0.0.1:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@unixmen-Centos64 conf.d]#
Restart Apache
Check if the ports 80 and 443 are listening:
[root@unixmen-Centos64 conf.d]# netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN [root@unixmen-Centos64 conf.d]# netstat -an | grep 80 tcp 0 0 :::80 :::* LISTEN unix 3 [ ] STREAM CONNECTED 12580 [root@unixmen-Centos64 conf.d]#
Allow the ports 80 and 443 via iptables:
vi /etc/sysconfig/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT Reload and restart iptables
Restart ip tables:
service iptables restart
Open the browser and Check https://IP-Address.
