In order to secure your webserver traffic you need to enable SSL.
This allows the traffic to be encrypted between the server and the client.
This is done by installing an SSL certificate on the web server and configure the web server to serve its content over SSL.

For this guide I am using RHEL 5.3 64bit and Apache.

  1. Install mod_ssl and openssl-devel
  2. Generate a Private Key for the Web Server
  3. Generate a Certificate Signing Request
  4. Generating a Self Signed Certificate
  5. Installing the Private Key and Certificate into your Apache webserver
  6. Enable Virtual Hosts configuration files
  7. Configure the SSL Virtual Host configuration file
  8. Restart Apache


1. Install mod_ssl and openssl-devel

mod_ssl is an optional  module that provides strong cryptographic functions to Apache. For more info, look here

[root@server]# yum install mod_ssl openssl-devel

Copy the mod_ssl.so file to the apache modules directory if not placed there by the installation.

[root@server modules]# cp /usr/lib64/httpd/modules/mod_ssl.so /usr/local/apache2/modules/mod_ssl.so


2. Generate a Private Key for the Web Server

The following commands creates a 1024 -bit RSA private key encrypted with triple DES, it will ask for a passphrase, I entered anything temporarily as I will remove it, because  I don’t want to enter it every time Apache is restarted, but this means that you are removing the Triple DES encyrption, so make sure that the private key cannot be seen by anybody but you (root). Its a trade-off between security and convenience

[root@server ~]# mkdir /root/ssl
[root@server ~]# cd /root/ssl/
[root@server ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
………++++++
……………….++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: <secret>
Verifying – Enter pass phrase for server.key: <secret>

Remove the passphrase from the private key (This is optional, I do it to prevent being prompted everytime Apache is restarted)

[root@server ssl]# cp server.key server.key.withpasswd

[root@server ssl]# openssl rsa -in server.key.withpasswd -out server.key

Enter pass phrase for server.key.withpasswd:

writing RSA key


3. Generate a Certificate Signing Request

The CSR is what you will send to a Certificate Authority, such as Verisign, Digicert, etc. They will verify the information and if valid they will send you a signed certificate to install in your webserver. (For a fee of course)

[root@server ssl]# openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:New York

Locality Name (eg, city) [Newbury]:NYC

Organization Name (eg, company) [My Company Ltd]: example

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server’s hostname) []:server.example.org

Email Address []:admin@example.org

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


4. Generating a Self Signed Certificate

For a production website, you should use the certificate that is signed from a trusted certificate authority. Otherwise clients will get a warning stating that they should not trust your website.

But for testing purposes or if you don’t feel like paying a Certificate Authority (CA) for a signed certificate, you can generate your own Self Signed Certificate, this will provide the same protection and encryption as a CA signed certificate, but because a CA didn’t sign it,  clients will get a warning stating that they should not trust your website.

The following command will generate a Self Signed Certificate that is valid for 10968 days (3 years)

[root@server ssl]# openssl x509 -req -days 10968 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=US/ST=New York/L=NYC/O=EXAMPLE/OU=IT/CN=server.cpg.org/emailAddress=admin@example.org

Getting Private key


5. Installing the Private Key and Certificate into your Apache webserver

Just copy the .crt and .key file to a location accessible to Apache.

The .crt file is either the CA signed certificate or self signed certificate.

[root@server ssl]# cp server.crt /usr/local/apache2/conf/

[root@server ssl]# cp server.key /usr/local/apache2/conf/


6. Enable Virtual Hosts configuration files

In the Apache main configuration file enable the inclusion of virtual hosts files if they are not enabled by default, you can include one file or a wildcard (e.g. conf/*.conf)

Include conf/extra/httpd-ssl.conf


7. Configure the SSL Virtual Host configuration file

[root@server extra]# cat /usr/local/apache2/conf/extra/httpd-ssl.conf

LoadModule ssl_module modules/mod_ssl.so

Listen 443

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache        “shmcb:/usr/local/apache2/logs/ssl_scache(512000)”

SSLSessionCacheTimeout  300

SSLMutex  “file:/usr/local/apache2/logs/ssl_mutex”

<VirtualHost _default_:443>

DocumentRoot “/usr/local/apache2/htdocs”

ServerName server.example.org:443

ServerAdmin admin@example.org

ErrorLog “/usr/local/apache2/logs/error_ssl_log”

TransferLog “/usr/local/apache2/logs/access_ssl_log”

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile “/usr/local/apache2/conf/server.crt”

SSLCertificateKeyFile “/usr/local/apache2/conf/server.key”

<FilesMatch “\.(cgi|shtml|phtml|php)$”>

SSLOptions +StdEnvVars

</FilesMatch>

<Directory “/usr/local/apache2/cgi-bin”>

SSLOptions +StdEnvVars

</Directory>

BrowserMatch “.*MSIE.*” \

nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

CustomLog “/usr/local/apache2/logs/ssl_request_log” \

“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

</VirtualHost>


8. Restart Apache

[root@server modules]# service httpd restart